Hussein k. Isingoma

1
A PRAGMATIC AND EFFECTIVE APPROACH TO
BUSINESS CONTINUITY AND RECOVERY PLANNING

• By
• Hussein k. Isingoma
• CISA,Cism,CRISC,CIA,FCCA,CPA,Msc,BBS
• Ag. Assistant commissioner,internal audit
• Ministry of finance,planning and economic
  development

2
Presentation Plan

• Introduction and Background
• Understanding Business Continuity and Disaster
  Recovery Planning
• The Need for BC/DR Planning and Management
• BC/DR Planning Tasks/Processes
• Achieving effective BC/DR Planning Key Issues
• BCP resiliency Thinking Cloud ?
• Conclusions

3
Introduction and Background

• The World is still fresh with shock and memories
  of the recent events and impact of the march 2011
  Japanese earthquake/tsunami that has had
  devastating destruction on infrastructure and
  mainly on the Fukushima Nuclear Plant
• The Fukushima disaster is being termed as
  probably the biggest industrial catastrophe in
  history of mankind
• The Nuclear plant was run by the Tokyo Electric
  Power Company(TEPCO) which supplied 1/3 of
  Japans electricity before and until the quake.
• The seawall that was designed to mitigate the
  impact of a tsunami was only 5.7 metres high and
  all previous assessments had never put a
  possibility of the tsunami going beyond the 5.7
  metres. It was wrong the 03/11 tsunami rose to
  15metres !!!!!! just 45 minutes after the
  earthquake
• BBC news report and the Economist newspaper of
  28th June 2011 reported a fall in share price of
  TEPCO by 85, faced a prospect of 100 billion
  compensation, 23,000 died or were missing ,
  80,000 evacuated
• The companys Tsunami safety plan was only one
  page and had been last updated in 2001
• The 9/11 World Trade Centre terrorist attack took
  out a total of 13,000 servers and estimated cost
  of replacement of IT for the effected Securities
  firms stood at 3.2 billion.
• Some of the other disasters or near disasters
  occasioned by IT failures include loss of 25
  million records of the Child Benefit Recipients'
  in the UK, failure of the former Soviet Union
  Early warning System in 1983 that almost drew the
  World to the prospect of World War III.

4
Business Continuity/Disaster Recovery Planning

• The purpose of Business Continuity is to ensure
  that core business functions continue with
  minimal or no interruption.
• The objective is to ensure that the organization
  will survive and continue to generate revenue.
• Disaster recovery is about rebuilding
• Clients and investors alike are notorious for
  abandoning organizations during their rebuilding
  phases
• It doesnt take much effort to cause layoffs,
  fall in stock or share prices or even permanent
  shutdowns
• The above realities lead us to the evolution from
  disaster recovery to business continuity

5
The Need for BC/DR Planning and Management

• What do organizations or Businesses need ?

• News of the World !!!! Did they ever plan for the
  phone hacking scandal that led to its closure ???

• In the aftermath of recent natural disasters,
  terrorism, equipment breakdown, businesses have
  recognized more than ever the need for ever to be
  prepared
• Firms/companies are striving to meet demand for
  continuous service
• The growth of e-commerce has pushed the need for
  systems availability expectations toward 24x365
• It is important that a BCP adequately supported
  throughout the organization, embodies the
  strategic framework for a corporate culture to
  mitigate risks that might cause
• Business process failure
• Asset loss
• Regulatory liability
• Customer service failure
• Damage to reputation
• Business survival necessitates planning for every
  type of business interruption.

6
BC/DR Planning The Risk Management Perspective

• Part of the Risk Response Strategies

• Risk Management

7
BC/DR Planning Tasks/Processes
8
BC/DR Planning Enablers
9
Rationale for BC/DR Planning the Business Value
case

• Value delivery. Coping with severe impacts to
  business arising out of interruptions makes
  businesses more valuable, reliable and
  dependable
• Survival. A well designed, exercised and
  maintained plan lies between a businesss ability
  to continue as a going concern or going bust !
• Risk Management maturity enhancement
• Competitive advantage case for offshore soft
  ware development initiatives/vendors
• Staff and client confidence
• Compliance
• Insurance costs/premiums
• Diagnosing organizational efficiency

10
Business Contingency Planning General Procedures
Disaster
Call Business Continuity Coordinator
1st Person on scene calls BC Manager
Call Recovery Management Team
Inform HQs
Recovery Mgt Team report to Command Centre
Recovery Team report to Disaster Scene
Report status to Recovery Mgt Team
Will Orgn. be out gt 72hrs
Return to Normal Operations
No
Inform COO/CTO
Yes
Invoke BCP?
No
Invoke BCP
Yes
11
Achieving effective BC/DR Planning Key Issues

• Top or Senior Management Sponsorship. Consensus
  ought to be established to
• Guide which aspects of business to stay
  operational in case of disruptions
• The level of protection needed risk appetite
• synchronize BC/DR plans with overall business
  strategy
• Risk Analysis
• Risk identification should consider a wide range
  of possible scenarios.
• More often than not, BCPs consider the most
  likely scenarios
• Although focusing on big events is desirable, a
  narrow focus on risk could lead to potentially
  disastrous events
• Business Impact Analysis
• Organizations' have limited resources. There is
  need to focus on key processes that need to be
  recovered in case of a disaster
• Focus on key business processes and critical
  dependencies
• BIA need to kept updated as the business changes
  or subject to periodic review
• Identify process specific Recovery time
  objectives(RTOs)
• Prioritise recovery efforts based on agreed RTOs
• Review service level agreements with service
  providers

12
Contd

• BC/DR organization
• Roles and responsibilities need to be defined
• BC/DR requires organization, coordination, and
  execution
• How and when is a disaster declared and by who ?
• Criteria for disaster definition and therefore
  declaration
• Plan exercising/testing
• If a BC/DR plan is not tested, it could fail
  under the stress of real disaster
• The ability of the BCP to execute when a disaster
  is declared is key
• Annual testing of the plan is desirable
• Look at ways of integrating of testing into
  normal business operations
• Opportunity to test failover/redundancies
• Scoping
• Over concentration on resumption of business at
  the expense of people and processes
• Personnel can be incredibly inventive and
  innovative as opposed to systems in times of
  disaster
• People issues tend to be the more difficult of
  challenges to resolve during disaster

13
Contd..

• Funding of BC/DR activities
• Many organizations consider BC/DR as good but not
  essential
• Many plans are unfunded posing further risks to
  the organization's business continuity
• There is need to develop formal business cases
  for BC/DR for funding
• Projects need to take into consideration
  continuity issues before implementation
• Communication plan
• There is need to have a well documented
  communication plan
• Employees call trees, supplier and vendor
  contacts need to be constantly updated
• Consider multi vendor support for key means of
  communication
• Media Management/Public relations
• Need to mitigate reputation loss through
  effective media management
• Clients and the public need reassurance and faith
  that the situation is not as bad as perceived and
  is under control
• Its about winning the Hearts and Minds of
  stakeholders
• Staff members or employees need not give their
  own view of the situation to the media
• Prepare public statements in advance to prevent
  the media from turning the situation into a
  Public relations nightmare

14
Contd.

• Security
• The time the organization is most vulnerable to
  security threats is in time of disaster
• The propensity to ignore security procedures is
  very high
• Incident Management team and structure must
  include appropriate IT security staff to stem all
  possible anomalies
• Inventory Management
• Review inventory list continuously
• A comprehensive list of equipment needed for
  recovery and resumption activities should be
  maintained
• Role of insurance
• Need to ensure that insurance provisions address
  timely re-imbursements in case of losses accruing
  from disaster
• Internal organizational policies need to address
  the accounting treatment of assets and related
  depreciation
• Clear definition of scope covered under insurance
  is critical
• Insurance policies need to be constantly
  monitored so as to reflect the new realities,
  risks or challenges to business

15
Complacency !

• BCP requires constant updating
• Business risks and related potential impacts are
  constantly changing

16
BCP resiliency Thinking Cloud ?

• Amazon EC2

• Lessons

• Whilst it is easy to be critical of Amazon, for
  many who have used its EC2 Cloud, the benefits to
  their performance, business continuity and
  resilience have been significant.
• Many have been able to achieve higher levels of
  uptime and reduce costs whilst managing higher
  demands.
• The April 2011 AWS (Amazon EC2) "failure" has
  probably caused their customers to take a hard
  look at their business continuity plans
• Challenges related to security responsibility,
  information residence, data ownership and
  confidentiality remain in the cloud
• A well structured service level agreement(SLA)
  that includes the rights to audit is key in
  assisting the organization in data mgt in stored,
  transit or processed data in the cloud

• Think through the going Cloud Business carefully
  and thoroughly
• Understand the infrastructure upon which the
  cloud operates do you need internal IT resources
  ???
• How robust are your cloud SLAs as regards
  compensation for downtime. Are they worth the
  cost of the downtime?
• Remember too well that
• You fate is in the hands of the service
  provider whose fate is in the hands of .?????

17
BCP Which Way to go ???

• Crossroads or an epitome of science?

• Balancing the Act !!!

• The greatest joy of living is not in never
  falling but getting up every time you fall
• Nelson Mandela

18
References BCP standards

• Control objective for information and related
  technology (CoBIT)
• Federal Emergency Management Association(FEMA)
• National Institute of Standards and
  Technology(NIST)
• Disaster Recovery Institute International(DRII)

19
Conclusion!

• BCP is about managing and mitigating the
  potential impact change
• Remember !
• When trying to predict future organizational
  environments, it seems that our only certainty is
  that things will change
• (Kotler,1998)