View
218
Download
0
Category
Tags:
Preview:
Citation preview
Business Continuity Risk: Mitigation and Contingency Planning An ounce of prevention…… ….and what to do when that's not enough
Discussion Leader: Moderator and Q&A:Andrew Gansler, Senior Manager Lawrence Baye, PrincipalManagement Consulting Services Management Consulting Servicesagansler@gt.com lbaye@gt.com
November 6, 2001
2
What is Business Continuity Risk?
Grant Thornton LLP defines business continuity risk as . . .
…the threat of any incident that may cause an extended disruption of business functions or impact the ongoing integrity of the firm.
3
What are the risks to business continuity?
• Traditional Concerns– Fire– Storm– Flood– Hurricane
• Less publicized but emerging trends– Intrusion (physical or logical)
– Control failures– Sabotage– Terrorist activity
– Earthquake– Power outage– Equipment failure
4
Some statistics…
• 2 out of 5 businesses that experience a major disaster will cease to exist within 2-5 years (Gartner, 2001)
• Some believe that as many as 80% of businesses suffering a major disaster will cease to exist as a direct or indirect result (BCC, 2001)
• The average bank robbery yields $2,500; average computer crime nets $500,000 (CSI/FBI 2001 Survey)
• Less than 50% of existing business continuity plans meet their firms recovery objectives (KPMG)
5
What's at stake for you?
• Assets "at risk"• Customer confidence• Fiduciary responsibility• Regulatory and other compliance• Insurance 'out' clauses• Trading partner relationships
6
Key considerations for Professional Services firms
• Fractionalization of firm– Reduced cohesion for collaboration– Controls breakdown
• Paper morass– drawings, transcripts, contracts, discovery materials, etc.– replacement issues
• Intellectual capital• Confidence level of employees• Availability of mission-critical information• Insurance exclusions
7
Key trends and challenges for real estate management companies
• Increased insurance premiums• Security costs
– Security/operation balance– Cost cutting environment/static budgets
• Loss of tenants • New service expectations
– Full backup power– Redundant/enhanced telecommunications
• Availability of investment capital • Tenant diversification • Prospective tenant's risk assessment
8
How to manage and mitigate business continuity risk
• Risk Mitigation– Emphasis on safeguarding your assets
• Physical• Logical (information)
• Contingency Planning– Quickly returning your business to a functional state after
an unavoidable and significant incident
9
Framework
Prevention Detection
Recovery
10
The information security problem
• Securing the server and its data• Securing information while in transit• Securing the user’s computer
11
Methods of intentional attack on information resources…
• Logical / Hacking– Passwords– Port/packet sniffing– Demon dialers– Spoofing– Home Users
• Virus threats– 89% of respondents reported a problem (IS Magazine) – Platform specific – Easy to engineer
12
The neglected areas
• Physical restriction• Data backup
– Frequency– Completeness– Testing
13
What can be done?
14
Three Ds of security policy
15
Tools, methodologies and best practices
• Control management– CPA WebTrust/Systrust– SAS 70
• Encryption and Authentication– Digital ID's - SSL– VeriSign® - PPTP
• Intrusion prevention, detection and monitoring– Configuration– Firewalls / Proxy servers– Detection/monitoring software – Intrusion testing
• TrueSecure• GrantGuard
16
Tools, methodologies and best practices (cont.)
• Strict backup procedures– Full backups– Client backups– Documentation – Off-site rotation– Periodic recovery tests
• Virus updates– Footprints– Push to users
17
Framework
Prevention Detection
Recovery
18
An unavoidable threat to business continuity has occurred…..What’s at stake?
• Customers move to "more reliable" competitors• Idle time of non-productive employees• Loss of customer service satisfaction• Cost of rebuilding lost data (errors/rework)• Additional staff needed to resolve problems• Fines and penalties imposed by regulatory agencies• Fines and penalties associated with existing contracts• Breakdown of internal controls
19
Emergency Procedures vs. Disaster Recovery vs. Business Continuity
• Emergency Procedures– Focus on tactical steps to be performed by operations staff on an event-by-
event basis– Heavy emphasis on minutes/hours following onset of an emergency– Facility schematics (HVAC, plumbing, etc), service providers
• Disaster Recovery – Focus on technology resumption (or, traditional Disaster Recovery)– Restoration of ‘mission-critical’ technology, communications infrastructure,
centralized applications– Contact lists, notification schedules, 're-start' procedures
• Business Continuity– Focus on restoring critical business processes and ‘normal’ operations
…inventory and prioritize– Technology is critical, but so are 'essential' business processes
……e.g., rent receipt processing
20
Some recent examples
• Global Investment Bank– On a Saturday in August, a steam pipe ruptured in NYC. Areas
affected: equity trading, equity sales, equity research, equity capital markets, private wealth management and legal departments; 1,100 staff
– Result: Initiated business continuity plan; relocated staff to six alternative locations. Resumed trading operations Monday morning
• Major Financial Publisher– September 11, Staff were displaced by tragic events. Publishing
capability was at risk.– Result: After the 1990 power blackouts in lower Manhattan,
company had developed an elaborate business continuity plan. They executed this plan, which included activation of a hot-site in NJ, which was ready for use by the time staff arrived there.
21
Some recent examples
• Key Processing / Clearing Bank– September 11, Bank executes its disaster recovery plan in response
to terrorist attack. Trade processing and other core functions are re-routed to backup systems. As a result of prioritization, continuity was restored for some systems and processes (e.g., trade processing, clearing, settlement), while areas deemed non-essential (e.g., ATM network) were not restored.
– Result: Many of the backup systems worked. But some did not (e.g., government bond processing). Bank believes they were successful in implementation of their plan. Some of their customers may disagree.
• Major Law Firm– September 11, relocated WTC staff to 7 other NYC law firms using
borrowed space– Result: Scattered people, fragmented operations,
collaboration/coordination issues
22
The Cost of Business Continuity
• Cost components– Consultants– Internal resources– Service Providers (recurring)– Time
• Who pays? – Company-wide project with an IT component
But consider the cost of doing nothing…
23
What you should be doing now
Review your plan…
Do you have a comprehensive plan?• 80% of NY-based companies are lacking, missing, or obsolete
If YES:• Review it
– Changes since last review: new systems, infrastructure changes– Are responsible individuals still with your firm?– Does it provide for restoration of core business functions? – Are your critical resources centralized?– Service contracts
• Get a 3rd party perspective – Will your plan work in today's environment?
• Test it • Maintain it
* Source: GT
24
What you should be doing now
Develop a plan…
Do you have a comprehensive plan?
If NO:• Get management buy-in – expensive, time consuming, no immediate ROI
• Form a team• Define your approach • Perform a business impact analysis • Cover the essentials • Develop the plan• Train your employees• Test the plan• Maintain and update the plan
25
What you should be doing now
Consider remote site operation…
Do you have an alternate location available for technology and people?
Hot SiteCold Site Mobile-Site or Hybrid• If YES:
– Review the terms of your agreement. Does the contracted service still meet your current needs?
• If NO: – Consider an outsourcing services provider (SunGard, IBM, etc.) as
one part of a comprehensive solution.• Considerations
– Exclusion zones -- Competitive bidding– Service guarantees -- Complex pricing structures– Duration -- Termination clauses– Test Time
26
What you should be doing now
Review your insurance coverage…
Do you have all the necessary insurance?
General commercial coverage (e.g., liability, property, etc.)
Business interruption insurance
OEM insurance /quick ship• If YES:
– Review your policies.• E&O, terrorism and other exclusions
• If NO:– Get some!
27
What you should be doing now
Review important processes…
Are your critical processes paper intensive?• Next to people, paper records are the most difficult component of any
business to replace– What are my vital records? What are the retention requirements?– What would happen if my vital paper records were destroyed?
• Consider document imaging and workflow automation– Re-think current processes – Automate paper-intensive processes– Provide an electronic record of important documents
• Confirm legal admissibility– ROI very high - usually pays for itself
28
What else can I do?
• Review your outsourced services– Does your service provider have a disaster recovery plan?– Are they viable over the long term? Many recent ASP, ISP, and
carrier failures– What controls are in place to prevent unauthorized access to your
data? Have these controls been tested by an independent third party?
• Form alliances– Is there a business partner, or even competitor that I would be
willing to team with?– Is there a company that has similar equipment to mine, whose
technology resources (e.g. data center) can be made available to me if necessary?
Questions and Answers
Recommended