30
Organisational Resilience ISACA Melbourne Chapter 13 August 2013

ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

  • Upload
    vukien

  • View
    235

  • Download
    3

Embed Size (px)

Citation preview

Page 1: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

Organisational ResilienceISACA Melbourne Chapter

13 August 2013

Page 2: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.2

Agenda

► Emergence of Organisational Resilience (Org Res)► Our Resilience research ► Attributes of resilient organisations► Resilience and service continuity► Practical approaches to resilience

Page 3: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

Emergence of Organisational Resilience

Page 4: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.4

Emergence of Organisational ResilienceExperiences at the edge of survival

►What is Resilience?

► Is it toughness? ► Flexibility?

► Ingenuity? ► ... Or something else?

► Three experiences at the edge of survival... ...is there a pattern?

Page 5: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational ResilienceVolatility, velocity, visibility

► Volatility of the economic and demographic environment

►Velocity of innovation and information

►Visibility into everything that organisations do

5

Page 6: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience Economic & demographic volatility

6

Financial uncertainty and instability

Emerging middle class in developing markets

Scarcity / imbalance of resources / political instability

Complexity of networks

Intensification of global competition

Plans need to be aggressive but risk adjusted

Page 7: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience Velocity of innovation and information

7

Speed to market Market awareness and responsiveness is crucial

Virtual world with access to information anywhere anytime

Innovation is expected

Brand movement

60% of global population with access to smart devices by 2030

Knowledge of alternatives

Need to be able to move quickly and carefully

Page 8: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience Visibility into everything

8

Unprecedented access to information

Global village causing blurred lines

Visibility is globalFor the informed customer everything

is contextual

Need to be authentic

Accountability

Unrestricted global boundaries

Sustainability

Reputation needs to be real and managed

Page 9: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience The opportunity

► These forces creates enormous opportunities and daunting challenges for government and business

► Risk and opportunities must be carefully balanced.► Grow and profit/manage costs► Protect performance► Innovate continuously► Optimise performance

► All these elements are uniquely combined in the organisational resilience approach.

► Unlike traditional approaches, OR balances these “protect” and “perform” – focused approaches and strategies

9

Page 10: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational Resilience ‘Perform / Protect’ Matrix

10

► There are many strategies and approaches to select from which align with and support organisational resilience

► Selection of “perform” and “protect” focused strategies and approaches consistent with the organisational context – internal and external

Figure: The Perform / Protect Matrix

Page 11: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.11

Emergence of Organisational Resilience Preparing organisations for the unforeseen

► OR helps businesses prepare for unforseen risks, or those that due to the complexity of external and internal conditions, are considered unforeseeable.

► Traditional approaches (such as risk management) tend to focus on risks that are foreseeable, even if highly unlikely.

► In this way OR deals with the universe of ‘unforeseeable’ and ‘foreseeable’ risks.

► Events of the past decade and a half have increased a sensitivity to unforeseeable risk and an appetiteto deal with it.

Page 12: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.12

Emergence of Organisational Resilience Compared to Business Continuity Management

► Business Continuity Management (BCM) is a continuous, risk-based, proactive management for the continuation of critical business functions and the recovery of people, processes and technology from business disruptions, in a optimised and sustainable manner.

Page 13: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.13

Emergence of Organisational Resilience Much more than preparing for disasters....

► BCM primarily focuses on enabling organisations to react – responding to operational disruptions (people, process & technology) when they occur.

► Risk management enables organisations to resist disruptive influences (internal and external) that can disrupt BAU and achieving corporate goals.

► OR focuses on all three elements of a continuum of risk and opportunity –resisting disruption to BAU, reacting to shocks, and reshaping competitive environments through disruptive innovation.

Page 14: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

Our Resilience research

Page 15: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.15

Our Organisational Resilience researchFederal and state-based initiatives for OR

► Trusted Information Sharing Network (TISN) (2001-present)

► ‘National Security Statement’ (2008)► ‘National Disaster Resilience Strategy’ (2009)► ‘Victorian Emergency Management Reform White Paper’

(2012)► Community / Collaboration / Capability► All hazards for agencies

► ‘A Roadmap for Victorian Critical Infrastructure Resilience’ (2012)

► ‘Strong and Secure – A Strategy for Australia’s National Security’ (2013)

Page 16: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.16

Our Organisational Resilience researchWith the Commonwealth Attorney-General’s Department

► ‘Critical Infrastructure Resilience Strategy’ (2010) led by the Commonwealth Attorney-General’s Department

► Value proposition for OR for business and society needed

► 2012-13 research with the Commonwealth Attorney-General’s Department -‘Organisational Resilience: The relationship with risk related corporate strategies’ (2013)

Page 17: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

Attributes of resilient organisations

Page 18: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.18

Attributes of resilient organisationsLeadership | Networks | Culture | Change Readiness

► Our research identified fourkey attributes of resilient organisations ► Resilience Leadership► Resilience Networks ► Resilience Culture ► Change Readiness

Page 19: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

Resilience and IT service continuity

Page 20: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuityThe ‘resilience continuum’

20

Page 21: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.21

Resilience and IT service continuity IT service continuity and Security Program Management (SPM)

Business-level performance

Security technology enablement

Applications Data Infrastructure

Security methods and processesIdentity and access Human resources Threat and vulnerability

Asset Information, data and privacy Business continuity and disaster recovery

Incident Operations and engineering Third party

Logging and monitoring Communications Physical andenvironmental security

Mandate, people and organizationStrategy and architecture Operations and integration Awareness and training

Integratedsecurityprogram

Integratedsecurityprogram

Security risk governance & risk management

Compliance Reporting and metrics

Risk culture Policy framework

Key business driversKey business drivers

External challengesExternal challenges

Governance

Internal Audit

Integrated capabilities

Page 22: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuity IT Service Continuity Management Lifecycle

1. Identifies the current state, infrastructure readiness

2. Identifies risks, analyses and evaluates the

appropriateness of the risk controls.

4. Identifies strategies and alternate workaround to the

IT Services and systems to meet the continuity

objectives

3. Identifies the key products and services and

its critical activities.

7. Sustaining IT SCM capability through reviewing, updating, exercising, promoting and embedding a IT SCM culture.

22

5. Develops appropriate arrangements and infrastructure capabilities

6. Validates the adequacy and currency of the IT SCM plans through testing and reviewing

IT Service Continuity

Management

1. Diagnose

(needs)

2. Assess

(risks)

3. Analyse (impacts)

4. Design(solutions)

5. Build

(capability)

6.Validate(capability)

7. Sustain(Capability)

IT Service Continuity

Management

1. Diagnose

(needs)

2. Assess

(risks)

3. Analyse (impacts)

4. Design(solutions)

5. Build

(capability)

6.Validate(capability)

7. Sustain(Capability)

Page 23: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuity Business Impact Assessment (BIA)

Lost Data

Last Backup or Replication

Systems and Resources Unavailable

Recover from Last Backup and Backlog (if any)

System and Resources Recovery

RTO

Disruptive Event

RPO

Back to Operation

Acceptable Operation

Data Loss Service Loss

23

Page 24: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Link the business process to the underlying application and technical infrastructure dependencies

Server pool Network pool Storage pool

Mission CriticalZero – <=24 hours

Critical>24 hours & <=120 hours

• Client Wires• Corporate Wires• Cash Settlements• Check Voids/Stops• Roll Wires• Client ACH File

Verification

A&F: Treasury

• Trade Extension Filing• Margin Call Resolution• Check and Wire Approval• Insite Reporting

Margin

• Processing checks, wires, ACH and journals from retirement accounts

• Qualified Plan Document Generation

Imaging

• Incoming Advisor Calls• Business Processing• Responding to emails

Service Center

• Advisory Performance

Advisory Account

• Advisory Fee Billing• Manager Select Account

Termination

Advisory Operations

• Advisory• Surveillance• FACS Supervision• HOS• Registration• AML

Compliance

• Statement Production• Confirmation Production• Quarterly Performance

Production• Letter Production

Client Reporting

• Statement Production• BranchNet Cost Basis

Update File• ADP Transporter

Tax Reporting

• Stock Record Reconciliation

Stock Record

Essential>120 hours

B U S I N E S S C R I T I C A L P A T H

Disa

ster

Cont

inui

ty

Resilience and IT service continuity Business Critical Path

24

Page 25: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Sourcing alternatives

Technology constraints

Business strategy and impact

Disaster recovery strategy

• High-level investment

• Roadmap and timeline

Current strategy gaps

Total cost of ownership

Infrastructure strategy

Guiding principles

People constraints

Technical dependency • In-source

• Co-location• Outsourcing

• Managed hosting• Cloud services

Enterprise risk

Business constraints

Resilience and IT service continuity Service Continuity Strategy Development

25

Page 26: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuity An IT resilience approach to service continuity

26

Page 27: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Resilience and IT service continuity Resilience through the technology stack

27

Page 28: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

Resilience and IT service continuity

Page 29: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.29

Practical approaches to resilienceThoughts to consider, discuss and act upon

► Need for a resilience approach (volatility, velocity, visibility)

► Take a practical and pragmatic, good practice approach

► Be commercial, seek solutions that ‘leverage’► Disrupt, measure, communicate, improve► Be prepared to evangelise, within reason

Page 30: ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

Thank You

The views expressed in this presentation are those of Alex Serrano MBA MBCI, and do not necessarily represent the views of EY.