Enterprise Resilience What it is and why you need it June 5, 2014 Rod Ratsma Head of Resilience Advisory

Resilience and Introduction to BCM

“The ability of a substance or object to spring back into shape” “The capacity to recover quickly from difficulties; toughness” Resilience – some definitions (Oxford English Dictionary)

 If your responsibility lies in IT recovery, −then you’re here because you understand the importance that IT as a dependency has to your organisation −BUT information technology is just one of many dependencies, and IT recovery on its own isn’t enough to protect the entire set of business processes needed by an organisation  If your responsibility lies in business continuity management, −you already understand the importance of full business process recovery −BUT process recovery on its own isn’t enough, what about customers, brand, reputation, dependencies, supply chain  If you are a leader in your organisation, −you understand that your business is subject to a number of risks −you have options about how you can treat those risks, and your stakeholders have a (limited) tolerance for making your problems into their problems; −AND it might well be you that has to deal with the fallout, both in terms of responsibility and (legal) consequences Resilience – why it’s important to you It’s better that you are informed and seen as proactive

C-level execs: Disaster recovery is more than just an IT problem One of the most challenging issues CIOs face is developing disaster recovery (DR) plans that go beyond system recovery and focus on overall business continuity. Is there a difference? If you're a corporate shareholder, the (ITDR) process doesn't work that way. You want to know the business can continue, and if you serve on the company's board, you want to be able to assure people that the company is not in ruins. The mouthpiece for this process is the CEO and, in some cases, the public relations director -- not IT. In the beginning stages of DR, nothing is more important to the public and the stakeholders than communications Source: Tech Republic May 2014 Enterprise resilience Some thoughts from the media…

“Cyber security is no longer sufficient to ensure business sustainability. Yes, organizations need to defend themselves against potential attack, but they must accept that some attacks will inevitably succeed. Therefore, an organization’s cyber resilience is now the critical survival factor – its ability to recover quickly once an attack has taken place.” “Business continuity is unequivocally a boardroom responsibility, so directors will have to increase the attention and resources they devote to information security and resilience. For example, spending just 10 percent of the IT budget on security is no longer adequate to keep your organization in business.” Source: Alan Calder, Executive Chairman of IT Governance, May 2014 Enterprise resilience Some thoughts from the media

“Recovery capabilities are stagnating” One of the biggest challenges in DR today is the pressure between business expectations for recovery objectives and technology management’s ability to deliver on them. In fact, 35% of companies in the 2013 Forrester/DRJ survey responded that mismatched business expectations with technology capabilities was one of the biggest challenges they faced when recovering from their most recent disaster or major business disruption. Source: Forrester Research Inc. “The State of Business technology Resiliency Q Enterprise resilience Some thoughts from the media

Your IT is resilient, but is your business resilient? Context.. Systems and data recovery Work area recovery

Who said this? “ When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident... of any sort worth speaking about. A test for the unbelievers

Who said this? “ When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident... of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.” A test for the unbelievers

Who said this? “ When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident... of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.” E. J. Smith, 1907, Captain, RMS Titanic A test for the unbelievers

BCM – Main Components

What is business continuity management? The ability to respond to the cause(s) of an incident, and to recover from the effect(s) of an incident Business Continuity Management

What is business continuity management? The ability to respond to the cause(s) of an incident, and to recover from the effect(s) of an incident Business Continuity Management (and doing what you can to stop an incident from happening in the first place)

Business continuity management The anatomy of an incident

Business continuity management The anatomy of an incident Let’s imagine an incident right now!

Emergency response Business continuity management Incident identification Initial escalation Initial assessment Initial actions First point of contact 24x7 Contact with Emergency Services Evacuation and crowd control Safety of staff and other people Protection of assets Liaison and escalation to crisis management

Crisis management Business continuity management Manage the organisation while it is in distress Protect the business, its reputation and its market share Make critical decisions regarding response and recovery Deal with stakeholders, the authorities and the media Internal and external communications Invoke and manage business recovery

Business and operational recovery strategies Business continuity management Continue most critical activities Maintain market share Workarounds Most critical customers Alternative locations Alternative methods Pre-event actions Funding Access to data and systems Get back to normal

The vision Business continuity management ‘A clear action plan that tells a senior manager exactly what needs to be done when he or she is standing in a car park at 6.30 in the morning looking at the spot where the building / plant / asset used to be …’

Recovery planning

Methodology Recovery planning

Business impact analysis (BIA) Recovery planning What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain?

Recovery strategy development Recovery planning What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO?

Plan development Recovery planning What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO? Develop recovery plans in accordance with these strategies

Maintain, update, rehearse Recovery planning What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO? Develop recovery plans in accordance with these strategies Rehearse and maintain the plans

Programme management Recovery planning What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO? Develop recovery plans in accordance with these strategies Rehearse and maintain the plans Establish a BCM oversight / policy / framework programme

Culture and awareness Recovery planning What are the key business processes and value chains in your organisation? What and who do they depend upon? What are the impacts of failures of the value chains over time? What are the threats? What is the MTPoD / MAO of each value chain? What strategies can be selected to recover a value chain if it fails for any reason in order to deliver MTPoD / MAO? Develop recovery plans in accordance with these strategies Rehearse and maintain the plans Establish a BCM oversight / policy / framework programme Embed BCM into company management systems and culture and increase staff awareness

Why we all need it! Resilience Lucky escape Failure! Time Performance

Some questions for you…

Some questions to think about….  Does your organisation have a fully tested and robust framework of business continuity management in place today? −Site/scenario-based response plans −Business-based crisis management plans −Process- / value chain-based recovery strategies and plans  If you arrived at your normal place of work after this meeting, or after lunch, or tomorrow, and it was inaccessible, damaged or destroyed – would you know what to do?  If your building was evacuated tomorrow, people were hurt, and you found yourself in charge, would you know what to do?  What would be the effect on your business and its ownership of a significant disruption to production or supply of goods or services?  Is there a recent analysis to confirm that your regime of IT disaster recovery can fully support the needs of the business following a major incident? Enterprise Resilience

Some questions to think about….  How would an inability to supply your customers for an extended period affect your brand, reputation and market share?  How bad would it be for your business if an incident made national or international news and it was perceived to be your fault?  Do you know which of your suppliers can affect your business the most?  Do you know which of your customers can affect your business the most?  Do you understand how your internal production and business units depend upon each other?  Is there somebody in your board room / management team / c-suite that has overall responsibility for risk management?  Does your organisation test its plans at least annually? Enterprise Resilience

Our capabilities

IT infrastructure is just part of the puzzle Resilience Systems and data recovery Work area recovery

Incident response Work area recovery Insurance Crisis management Systems and data recovery Drivers, benefits, ROI Risk management The bigger picture? Resilience Operational recovery Business recovery Supply chain Brand and market share Infosec, cyber

How can we help you? Phoenix's capabilities Value chain and impact analysis Gap analysis / benchmark / health check Risk analysis (process / site) Recovery strategy design Recovery plan creation Crisis management planning Testing and rehearsing –Desktop / simulation –Crisis / recovery Resilience framework design Training and awareness IT recovery planning Information security risk IT risk analysis Supply chain risk management Emergency response planning BCMS software and automation – Shadow-Planner

Thank you