Organisational ResilienceISACA Melbourne Chapter

13 August 2013

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.2

Agenda

Emergence of Organisational Resilience (Org Res) Our Resilience research Attributes of resilient organisations Resilience and service continuity Practical approaches to resilience

Emergence of Organisational Resilience

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.4

Emergence of Organisational ResilienceExperiences at the edge of survival

What is Resilience? Is it toughness?

Flexibility? Ingenuity?

... Or something else?

Three experiences at the edge of survival... ...is there a pattern?

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational ResilienceVolatility, velocity, visibility

Volatility of the economic and demographic environment

Velocity of innovation and information

Visibility into everything that organisations do

5

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience Economic & demographic volatility

6

Financial uncertainty and instability

Emerging middle class in developing markets

Scarcity / imbalance of resources / political instability

Complexity of networks

Intensification of global competition

Plans need to be aggressive but risk adjusted

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience Velocity of innovation and information

7

Speed to market Market awareness and responsiveness is crucial

Virtual world with access to information anywhere anytime

Innovation is expected

Brand movement

60% of global population with access to smart devices by 2030

Knowledge of alternatives

Need to be able to move quickly and carefully

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience Visibility into everything

8

Unprecedented access to information

Global village causing blurred lines

Visibility is globalFor the informed customer everything

is contextual

Need to be authentic

Accountability

Unrestricted global boundaries

Sustainability

Reputation needs to be real and managed

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience The opportunity

These forces creates enormous opportunities and daunting challenges for government and business

Risk and opportunities must be carefully balanced. Grow and profit/manage costs Protect performance Innovate continuously Optimise performance

All these elements are uniquely combined in the organisational resilience approach.

Unlike traditional approaches, OR balances these protect and perform focused approaches and strategies

9

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience Perform / Protect Matrix

10

There are many strategies and approaches to select from which align with and support organisational resilience

Selection of perform and protect focused strategies and approaches consistent with the organisational context internal and external

Figure: The Perform / Protect Matrix

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.11

Emergence of Organisational Resilience Preparing organisations for the unforeseen

OR helps businesses prepare for unforseen risks, or those that due to the complexity of external and internal conditions, are considered unforeseeable.

Traditional approaches (such as risk management) tend to focus on risks that are foreseeable, even if highly unlikely.

In this way OR deals with the universe of unforeseeable and foreseeable risks.

Events of the past decade and a half have increased a sensitivity to unforeseeable risk and an appetiteto deal with it.

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.12

Emergence of Organisational Resilience Compared to Business Continuity Management

Business Continuity Management (BCM) is a continuous, risk-based, proactive management for the continuation of critical business functions and the recovery of people, processes and technology from business disruptions, in a optimised and sustainable manner.

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.13

Emergence of Organisational Resilience Much more than preparing for disasters....

BCM primarily focuses on enabling organisations to react responding to operational disruptions (people, process & technology) when they occur.

Risk management enables organisations to resist disruptive influences (internal and external) that can disrupt BAU and achieving corporate goals.

OR focuses on all three elements of a continuum of risk and opportunity resisting disruption to BAU, reacting to shocks, and reshaping competitive environments through disruptive innovation.

Our Resilience research

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.15

Our Organisational Resilience researchFederal and state-based initiatives for OR

Trusted Information Sharing Network (TISN) (2001-present)

National Security Statement (2008) National Disaster Resilience Strategy (2009) Victorian Emergency Management Reform White Paper

(2012) Community / Collaboration / Capability All hazards for agencies

A Roadmap for Victorian Critical Infrastructure Resilience (2012)

Strong and Secure A Strategy for Australias National Security (2013)

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.16

Our Organisational Resilience researchWith the Commonwealth Attorney-Generals Department

Critical Infrastructure Resilience Strategy (2010) led by the Commonwealth Attorney-Generals Department

Value proposition for OR for business and society needed

2012-13 research with the Commonwealth Attorney-Generals Department -Organisational Resilience: The relationship with risk related corporate strategies (2013)

Attributes of resilient organisations

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.18

Attributes of resilient organisationsLeadership | Networks | Culture | Change Readiness

Our research identified fourkey attributes of resilient organisations Resilience Leadership Resilience Networks Resilience Culture Change Readiness

Resilience and IT service continuity

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuityThe resilience continuum

20

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.21

Resilience and IT service continuity IT service continuity and Security Program Management (SPM)

Business-level performance

Security technology enablement

Applications Data Infrastructure

Security methods and processesIdentity and access Human resources Threat and vulnerability

Asset Information, data and privacy Business continuity and disaster recoveryIncident Operations and engineering Third party

Logging and monitoring Communications Physical andenvironmental security

Mandate, people and organizationStrategy and architecture Operations and integration Awareness and training

Integratedsecurityprogram

Integratedsecurityprogram

Security risk governance & risk management

Compliance Reporting and metrics

Risk culture Policy framework

Key business driversKey business drivers

External challengesExternal challenges

Governance

Internal Audit

Integrated capabilities

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuity IT Service Continuity Management Lifecycle

1. Identifies the current state, infrastructure readiness

2. Identifies risks, analyses and evaluates the

appropriateness of the risk controls.

4. Identifies strategies and alternate workaround to the

IT Services and systems to meet the continuity

objectives

3. Identifies the key products and services and

its critical activities.

7. Sustaining IT SCM capability through reviewing, updating, exercising, promoting and embedding a IT SCM culture.

22

5. Develops appropriate arrangements and infrastructure capabilities

6. Validates the adequacy and currency of the IT SCM plans through testing and reviewing

IT Service Continuity

Management

1. Diagnose

(needs)

2. Assess

(risks)

3. Analyse (impacts)

4. Design(solutions)

5. Build

(capability)

6.Validate(capability)

7. Sustain(Capability)

IT Service Continuity

Management

1. Diagnose

(needs)

2. Assess

(risks)

3. Analyse (impacts)

4. Design(solutions)

5. Build

(capability)

6.Validate(capability)

7. Sustain(Capability)

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuity Business Impact Assessment (BIA)

Lost Data

Last Backup or Replication

Systems and Resources Unavailable

Recover from Last Backup and Backlog (if any)

System and Resources Recovery

RTO

Disruptive Event

RPO

Back to Operation

Acceptable Operation

Data Loss Service Loss

23

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Link the business process to the underlying application and technical infrastructure dependencies

Server pool Network pool Storage pool

Mission CriticalZero 24 hours & 120 hours

B U S I N E S S C R I T I C A L P A T H

Disa

ster

Cont

inui

ty

Resilience and IT service continuity Business Critical Path

24

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Sourcing alternatives

Technology constraints

Business strategy and impact

Disaster recovery strategy

High-level investment

Roadmap and timeline

Current strategy gaps

Total cost of ownership

Infrastructure strategy

Guiding principles

People constraints

Technical dependency In-source

Co-location Outsourcing

Managed hosting Cloud services

Enterprise risk

Business constraints

Resilience and IT service continuity Service Continuity Strategy Development

25

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuity An IT resilience approach to service continuity

26

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuity Resilience through the technology stack

27

Resilience and IT service continuity

2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.29

Practical approaches to resilienceThoughts to consider, discuss and act upon

Need for a resilience approach (volatility, velocity, visibility)

Take a practical and pragmatic, good practice approach

Be commercial, seek solutions that leverage Disrupt, measure, communicate, improve Be prepared to evangelise, within reason

Thank You

The views expressed in this presentation are those of Alex Serrano MBA MBCI, and do not necessarily represent the views of EY.