ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience

Organisational ResilienceISACA Melbourne Chapter

13 August 2013

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.2

Agenda

► Emergence of Organisational Resilience (Org Res)► Our Resilience research ► Attributes of resilient organisations► Resilience and service continuity► Practical approaches to resilience

Emergence of Organisational Resilience


Emergence of Organisational ResilienceExperiences at the edge of survival

►What is Resilience?

► Is it toughness? ► Flexibility?

► Ingenuity? ► ... Or something else?

► Three experiences at the edge of survival... ...is there a pattern?

© 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

Emergence of Organisational ResilienceVolatility, velocity, visibility

► Volatility of the economic and demographic environment

►Velocity of innovation and information

►Visibility into everything that organisations do

5


Emergence of Organisational Resilience Economic & demographic volatility

6

Financial uncertainty and instability

Emerging middle class in developing markets

Scarcity / imbalance of resources / political instability

Complexity of networks

Intensification of global competition

Plans need to be aggressive but risk adjusted


Emergence of Organisational Resilience Velocity of innovation and information

7

Speed to market Market awareness and responsiveness is crucial

Virtual world with access to information anywhere anytime

Innovation is expected

Brand movement

60% of global population with access to smart devices by 2030

Knowledge of alternatives

Need to be able to move quickly and carefully


Emergence of Organisational Resilience Visibility into everything

8

Unprecedented access to information

Global village causing blurred lines

Visibility is globalFor the informed customer everything

is contextual

Need to be authentic

Accountability

Unrestricted global boundaries

Sustainability

Reputation needs to be real and managed


Emergence of Organisational Resilience The opportunity

► These forces creates enormous opportunities and daunting challenges for government and business

► Risk and opportunities must be carefully balanced.► Grow and profit/manage costs► Protect performance► Innovate continuously► Optimise performance

► All these elements are uniquely combined in the organisational resilience approach.

► Unlike traditional approaches, OR balances these “protect” and “perform” – focused approaches and strategies

9


Emergence of Organisational Resilience ‘Perform / Protect’ Matrix

10

► There are many strategies and approaches to select from which align with and support organisational resilience

► Selection of “perform” and “protect” focused strategies and approaches consistent with the organisational context – internal and external

Figure: The Perform / Protect Matrix


Emergence of Organisational Resilience Preparing organisations for the unforeseen

► OR helps businesses prepare for unforseen risks, or those that due to the complexity of external and internal conditions, are considered unforeseeable.

► Traditional approaches (such as risk management) tend to focus on risks that are foreseeable, even if highly unlikely.

► In this way OR deals with the universe of ‘unforeseeable’ and ‘foreseeable’ risks.

► Events of the past decade and a half have increased a sensitivity to unforeseeable risk and an appetiteto deal with it.


Emergence of Organisational Resilience Compared to Business Continuity Management

► Business Continuity Management (BCM) is a continuous, risk-based, proactive management for the continuation of critical business functions and the recovery of people, processes and technology from business disruptions, in a optimised and sustainable manner.


Emergence of Organisational Resilience Much more than preparing for disasters....

► BCM primarily focuses on enabling organisations to react – responding to operational disruptions (people, process & technology) when they occur.

► Risk management enables organisations to resist disruptive influences (internal and external) that can disrupt BAU and achieving corporate goals.

► OR focuses on all three elements of a continuum of risk and opportunity –resisting disruption to BAU, reacting to shocks, and reshaping competitive environments through disruptive innovation.

Our Resilience research


Our Organisational Resilience researchFederal and state-based initiatives for OR

► Trusted Information Sharing Network (TISN) (2001-present)

► ‘National Security Statement’ (2008)► ‘National Disaster Resilience Strategy’ (2009)► ‘Victorian Emergency Management Reform White Paper’

(2012)► Community / Collaboration / Capability► All hazards for agencies

► ‘A Roadmap for Victorian Critical Infrastructure Resilience’ (2012)

► ‘Strong and Secure – A Strategy for Australia’s National Security’ (2013)


Our Organisational Resilience researchWith the Commonwealth Attorney-General’s Department

► ‘Critical Infrastructure Resilience Strategy’ (2010) led by the Commonwealth Attorney-General’s Department

► Value proposition for OR for business and society needed

► 2012-13 research with the Commonwealth Attorney-General’s Department -‘Organisational Resilience: The relationship with risk related corporate strategies’ (2013)

Attributes of resilient organisations


Attributes of resilient organisationsLeadership | Networks | Culture | Change Readiness

► Our research identified fourkey attributes of resilient organisations ► Resilience Leadership► Resilience Networks ► Resilience Culture ► Change Readiness

Resilience and IT service continuity


Resilience and IT service continuityThe ‘resilience continuum’

20


Resilience and IT service continuity IT service continuity and Security Program Management (SPM)

Business-level performance

Security technology enablement

Applications Data Infrastructure

Security methods and processesIdentity and access Human resources Threat and vulnerability

Asset Information, data and privacy Business continuity and disaster recovery

Incident Operations and engineering Third party

Logging and monitoring Communications Physical andenvironmental security

Mandate, people and organizationStrategy and architecture Operations and integration Awareness and training

Integratedsecurityprogram

Integratedsecurityprogram

Security risk governance & risk management

Compliance Reporting and metrics

Risk culture Policy framework

Key business driversKey business drivers

External challengesExternal challenges

Governance

Internal Audit

Integrated capabilities


Resilience and IT service continuity IT Service Continuity Management Lifecycle

1. Identifies the current state, infrastructure readiness

2. Identifies risks, analyses and evaluates the

appropriateness of the risk controls.

4. Identifies strategies and alternate workaround to the

IT Services and systems to meet the continuity

objectives

3. Identifies the key products and services and

its critical activities.

7. Sustaining IT SCM capability through reviewing, updating, exercising, promoting and embedding a IT SCM culture.

22

5. Develops appropriate arrangements and infrastructure capabilities

6. Validates the adequacy and currency of the IT SCM plans through testing and reviewing

IT Service Continuity

Management

1. Diagnose

(needs)

2. Assess

(risks)

3. Analyse (impacts)

4. Design(solutions)

5. Build

(capability)

6.Validate(capability)

7. Sustain(Capability)

IT Service Continuity

Management

1. Diagnose

(needs)

2. Assess

(risks)

3. Analyse (impacts)

4. Design(solutions)

5. Build

(capability)

6.Validate(capability)

7. Sustain(Capability)


Resilience and IT service continuity Business Impact Assessment (BIA)

Lost Data

Last Backup or Replication

Systems and Resources Unavailable

Recover from Last Backup and Backlog (if any)

System and Resources Recovery

RTO

Disruptive Event

RPO

Back to Operation

Acceptable Operation

Data Loss Service Loss

23


Link the business process to the underlying application and technical infrastructure dependencies

Server pool Network pool Storage pool

Mission CriticalZero – <=24 hours

Critical>24 hours & <=120 hours

• Client Wires• Corporate Wires• Cash Settlements• Check Voids/Stops• Roll Wires• Client ACH File

Verification

A&F: Treasury

• Trade Extension Filing• Margin Call Resolution• Check and Wire Approval• Insite Reporting

Margin

• Processing checks, wires, ACH and journals from retirement accounts

• Qualified Plan Document Generation

Imaging

• Incoming Advisor Calls• Business Processing• Responding to emails

Service Center

• Advisory Performance

Advisory Account

• Advisory Fee Billing• Manager Select Account

Termination

Advisory Operations

• Advisory• Surveillance• FACS Supervision• HOS• Registration• AML

Compliance

• Statement Production• Confirmation Production• Quarterly Performance

Production• Letter Production

Client Reporting

• Statement Production• BranchNet Cost Basis

Update File• ADP Transporter

Tax Reporting

• Stock Record Reconciliation

Stock Record

Essential>120 hours

B U S I N E S S C R I T I C A L P A T H

Disa

ster

Cont

inui

ty

Resilience and IT service continuity Business Critical Path

24


Sourcing alternatives

Technology constraints

Business strategy and impact

Disaster recovery strategy

• High-level investment

• Roadmap and timeline

Current strategy gaps

Total cost of ownership

Infrastructure strategy

Guiding principles

People constraints

Technical dependency • In-source

• Co-location• Outsourcing

• Managed hosting• Cloud services

Enterprise risk

Business constraints

Resilience and IT service continuity Service Continuity Strategy Development

25


Resilience and IT service continuity An IT resilience approach to service continuity

26


Resilience and IT service continuity Resilience through the technology stack

27

Resilience and IT service continuity


Practical approaches to resilienceThoughts to consider, discuss and act upon

► Need for a resilience approach (volatility, velocity, visibility)

► Take a practical and pragmatic, good practice approach

► Be commercial, seek solutions that ‘leverage’► Disrupt, measure, communicate, improve► Be prepared to evangelise, within reason

Thank You

The views expressed in this presentation are those of Alex Serrano MBA MBCI, and do not necessarily represent the views of EY.

Documents

ISACA Organisational Resilience Presentation 130813 v1 … · Emergence of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience