ISACA Organisational Resilience Presentation 130813 v1 of Organisational Resilience ... Compared to Business Continuity Management ... ISACA Organisational Resilience Presentation_130813

  • View
    217

  • Download
    3

Embed Size (px)

Text of ISACA Organisational Resilience Presentation 130813 v1 of Organisational Resilience ... Compared to...

  • Organisational ResilienceISACA Melbourne Chapter

    13 August 2013

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.2

    Agenda

    Emergence of Organisational Resilience (Org Res) Our Resilience research Attributes of resilient organisations Resilience and service continuity Practical approaches to resilience

  • Emergence of Organisational Resilience

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.4

    Emergence of Organisational ResilienceExperiences at the edge of survival

    What is Resilience? Is it toughness?

    Flexibility? Ingenuity?

    ... Or something else?

    Three experiences at the edge of survival... ...is there a pattern?

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

    Emergence of Organisational ResilienceVolatility, velocity, visibility

    Volatility of the economic and demographic environment

    Velocity of innovation and information

    Visibility into everything that organisations do

    5

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

    Emergence of Organisational Resilience Economic & demographic volatility

    6

    Financial uncertainty and instability

    Emerging middle class in developing markets

    Scarcity / imbalance of resources / political instability

    Complexity of networks

    Intensification of global competition

    Plans need to be aggressive but risk adjusted

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

    Emergence of Organisational Resilience Velocity of innovation and information

    7

    Speed to market Market awareness and responsiveness is crucial

    Virtual world with access to information anywhere anytime

    Innovation is expected

    Brand movement

    60% of global population with access to smart devices by 2030

    Knowledge of alternatives

    Need to be able to move quickly and carefully

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

    Emergence of Organisational Resilience Visibility into everything

    8

    Unprecedented access to information

    Global village causing blurred lines

    Visibility is globalFor the informed customer everything

    is contextual

    Need to be authentic

    Accountability

    Unrestricted global boundaries

    Sustainability

    Reputation needs to be real and managed

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

    Emergence of Organisational Resilience The opportunity

    These forces creates enormous opportunities and daunting challenges for government and business

    Risk and opportunities must be carefully balanced. Grow and profit/manage costs Protect performance Innovate continuously Optimise performance

    All these elements are uniquely combined in the organisational resilience approach.

    Unlike traditional approaches, OR balances these protect and perform focused approaches and strategies

    9

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

    Emergence of Organisational Resilience Perform / Protect Matrix

    10

    There are many strategies and approaches to select from which align with and support organisational resilience

    Selection of perform and protect focused strategies and approaches consistent with the organisational context internal and external

    Figure: The Perform / Protect Matrix

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.11

    Emergence of Organisational Resilience Preparing organisations for the unforeseen

    OR helps businesses prepare for unforseen risks, or those that due to the complexity of external and internal conditions, are considered unforeseeable.

    Traditional approaches (such as risk management) tend to focus on risks that are foreseeable, even if highly unlikely.

    In this way OR deals with the universe of unforeseeable and foreseeable risks.

    Events of the past decade and a half have increased a sensitivity to unforeseeable risk and an appetiteto deal with it.

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.12

    Emergence of Organisational Resilience Compared to Business Continuity Management

    Business Continuity Management (BCM) is a continuous, risk-based, proactive management for the continuation of critical business functions and the recovery of people, processes and technology from business disruptions, in a optimised and sustainable manner.

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.13

    Emergence of Organisational Resilience Much more than preparing for disasters....

    BCM primarily focuses on enabling organisations to react responding to operational disruptions (people, process & technology) when they occur.

    Risk management enables organisations to resist disruptive influences (internal and external) that can disrupt BAU and achieving corporate goals.

    OR focuses on all three elements of a continuum of risk and opportunity resisting disruption to BAU, reacting to shocks, and reshaping competitive environments through disruptive innovation.

  • Our Resilience research

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.15

    Our Organisational Resilience researchFederal and state-based initiatives for OR

    Trusted Information Sharing Network (TISN) (2001-present)

    National Security Statement (2008) National Disaster Resilience Strategy (2009) Victorian Emergency Management Reform White Paper

    (2012) Community / Collaboration / Capability All hazards for agencies

    A Roadmap for Victorian Critical Infrastructure Resilience (2012)

    Strong and Secure A Strategy for Australias National Security (2013)

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.16

    Our Organisational Resilience researchWith the Commonwealth Attorney-Generals Department

    Critical Infrastructure Resilience Strategy (2010) led by the Commonwealth Attorney-Generals Department

    Value proposition for OR for business and society needed

    2012-13 research with the Commonwealth Attorney-Generals Department -Organisational Resilience: The relationship with risk related corporate strategies (2013)

  • Attributes of resilient organisations

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.18

    Attributes of resilient organisationsLeadership | Networks | Culture | Change Readiness

    Our research identified fourkey attributes of resilient organisations Resilience Leadership Resilience Networks Resilience Culture Change Readiness

  • Resilience and IT service continuity

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

    Resilience and IT service continuityThe resilience continuum

    20

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.21

    Resilience and IT service continuity IT service continuity and Security Program Management (SPM)

    Business-level performance

    Security technology enablement

    Applications Data Infrastructure

    Security methods and processesIdentity and access Human resources Threat and vulnerability

    Asset Information, data and privacy Business continuity and disaster recoveryIncident Operations and engineering Third party

    Logging and monitoring Communications Physical andenvironmental security

    Mandate, people and organizationStrategy and architecture Operations and integration Awareness and training

    Integratedsecurityprogram

    Integratedsecurityprogram

    Security risk governance & risk management

    Compliance Reporting and metrics

    Risk culture Policy framework

    Key business driversKey business drivers

    External challengesExternal challenges

    Governance

    Internal Audit

    Integrated capabilities

  • 2013 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

    Resilience and IT service continuity IT Service Continuity Management Lifecycle

    1. Identifies the current state, infrastructure readiness

    2. Identifies risks, analyses and evaluates the

    appropriateness of the risk controls.

    4. Identifies strategies and alternate workaround to the

    IT Services and systems to meet the continuity

    objectives

    3. Identifies the key products and services and

    its critical activities.

    7. Sustaining IT SCM capability through reviewing, updating, exercising, promoting and embedding a IT SCM culture.

    22

    5. Develops appropriate arrangements and infrastructure capabilities

    6. Validates the adequacy and currency of the IT SCM plans through testing and reviewing

    IT Service Continuity

    Management

    1. Diagnose

    (need