Upload
vocong
View
230
Download
1
Embed Size (px)
Citation preview
TSC Business Continuity & Disaster Recovery SessionMohamed AshmawyInfrastructure Consulting PursuitHewlett-Packard EnterpriseSaudi [email protected]
Session Objectives and Outcomes
Objectives• Share the key aspects of BCDR• Business Impact Analysis
Service Walkthrough• Risk Assessment Service
Walkthrough
Outcomes• Common Understanding on:
• Business Impact Analysis• Risk Assessment• Existing delivery capabilities • Next Steps
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Agenda1 Industry Outlook and Challenges
2
3
HPE Transformation Area 2 Point of View
Business Continuity Management – Key Aspects
4 Business Impact Analysis
Risk Assessment 5
GFS Capability Overview6
HPE Value Differentiation & Next Steps7
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Industry Outlook & Challenges
Gartner Predicts 2015: Business Continuity Management and IT Disaster Recovery Management
Demand over legacy backup applications
In 2015, focus on improving operational resilience with more automation
By 2018, 50% of organizations will use managed failovers
By year-end 2020, 15% of organizations will fail due to inadequateprotection
Source: Gartner Predict 2015
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Why we should focus on BCDRMarket Forecasts and Analysis– Business Potential
According to “Research and Markets” agency, the GRC solutions and services market including BC & DR will grow at a 14.7% CAGR to $31.77 billion through 2020 – approximately three times the growth rate of the overall GRC market from 2015
Source : http://www.businesswire.com/news/home/20150625005495/en/Research-Markets-Enterprise-Governance-Risk-Compliance-Market#.Vd6la_mqqko
How much we can get here?
BIA & RA Services are critical steps to generate more and more BCDR opportunities
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Gaps in Today’s BC & DR Arrangements – Market Demand
• 60+% do not have a fully documented DR plan
• Remaining 40% DR plans did not prove very useful when it was called on to respond to their worst disaster recovery event or scenario.
• Almost 65% enterprises are failing in DR testing
Lack of DR Planning, testing and resources
Financial Impact due to service outage Major causes of outages
• 36% organizations lost one or more critical applications, VMs, or critical data files for hours at a time over the past year
• 20% organizations indicated losses of more than $50000 to over $5Mn
• 50% software failure + network failure
• 23.5% human error• 24% power failure• 2.5% weather
Source : Disaster Recovery Preparedness Benchmark Survey (DRP) © Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Let’s hear your voice!
Do you leverage automation and orchestration in your disaster recovery plans in order to improve business outcomes?
Open HPE Events App, and answer the following question to participate
HPE Transformation Area 2 Point of View
Transformto a hybrid
infrastructure
Enableworkplace
productivity
Empowerthe data-drivenorganization
Protect yourdigital enterpriseProtect your most prized digital assets whether they are on premise, in the cloud or in between.
Protect your digital enterprise
Protect Detect & Respond Recover
Build it inIdentify the threats you face, assess your organization’s capabilities to protect your enterprise,
Harden your applications, protect your users, and encrypt your most important data
Proactively detect and manage breachesHelp reduce time-to-breach-resolution with a tight coupling of analytics, correlation, and orchestration.
Establish situational awareness to find and shut down threats at scale
Safeguard continuityand complianceDrive resilience and business continuity across your IT environments, systems, and applications.
Reduce risk with enterprise-wide governance, risk & compliance strategies
BIA and RA Services fall under “Recover”© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
HPE Business Continuity Management –Key Aspects
HPE Business Continuity 5 Step Approach
Exercising, Maintenance &
Audit
Understandingyour
Business
Building &EmbeddingBCM Culture
BCProgram
Management
Develop &Implement
BCM Response
Building Resiliency & ContinuityStrategies
1
2
34
5
1. Understanding the BusinessCriticality, Compliance mandate,data center operations, supportservices to identify continuity &recovery requirements.
2. Building Resilience andContinuity Strategies basis thecontinuity related Risks identifiedin BIA and RA.
3. Developing and Implementing aResponse Plan to Respond toand Manage ‘ServiceDisruptions’.
4. Institutionalizing BusinessContinuity framework &processes as part of operationsto build Business ContinuityMaturity.
5. Exercising Business Continuityreadiness; Updating of BC Plansand Independent Audit.
Business &
Com
pliance Requirem
entsGlo
bal B
est P
ract
ices
& S
tand
ards
A
lignm
ent
HPE BCM Framework
‘Business Continuity’ Program Management
BCM Governance
Understand Business
Requirements
Business Continuity Strategies
BC Plan, Design &Implementation Plan Administration Audit & Compliance
People and Process
Technology
• Business Process Identification, priority & criticality
• Compliance Statement• Planning Structure• Business Impact Analysis• Risk Assessment • Interdependencies• Third Party Independencies
• Risk Assessment • Recovery requirements• IT Dependencies• Service Level
Agreements (SLAs)• Interruption Insurance
• Alternative strategies against the results of BIA exercise
• Third Party continuity strategies
• IT Operational Process Requirements
• Single Point of Failures mapping
• IT Resiliency & Recovery strategy
• Business Continuity Plans• Crisis Management Plans• Crisis Communication
Plans• Command Center Plan• Pandemic Response Plan• Emergency Response Plan• Business Resumption• Work area recovery
(Facilities) Plan• Return to Home Plan
• Disaster Recovery Plans• Incident Management Plan• Recovery Strategy Design• Failover and Failback
strategy design• Data Backup and
restoration plan design
• Exercise and Testing• Plan Maintenance• Training and Awareness• Plan Audit• Post Mortem analysis
and reporting
• DR Testing and simulations
• Post Mortem Process
• On-going improvements• Align newly
designed/revised strategy/plans with regulatory requirements
• Compliance report as per legal, regulatory and contractual requirements
• On-going improvements• Align newly
designed/revised strategy/plans with regulatory requirements
• Policies & Standards• Roles & Responsibility
guide• BCM Program
Management Office • Management Review
• Policies & Standards• Roles & Responsibility
guide• BCM Program
Management Office • Management Review
Business Continuity Management Framework
HPE BCM Framework is aligned to ISO 22301 Standard
Business Impact Analysis Service
ChallengesObjectives
Lack of knowledge of financial, reputation and legal impact on the organization
No process classification to document the criticalities of organizational assets
Associated process interdependencies not identified
No established acceptable downtime and recovery level of critical processes
Resource requirements necessary at the time of a disruption not identified
Identify operational and
financial impacts due to
business disruptions
Identify minimum operating
requirements
Identifying operating requirements is only aiming at minimising financial and operational impacts
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
BCP is a set of advance arrangements to increase organizational resilience through availability of critical processes at acceptable levels and downtimes
RTO – Recovery Time Objective | MOR – Minimum Operating Requirements
Leve
l of O
pera
tions
Time
Normal Level
Incident
Dis
rupt
ion
RTO (e.g. 2 wd)
MOR Level
MOR delivery (e.g. 5 wd)
Normal Level
Crisis duration (e.g. 7 wd)
How an incident is managed
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Key Terminologies
BIA helps to identify:
• Process classification (Critical / Key / Others)
• Minimum operating requirements (RTO, MOR and RPO)
• Key resources (People, IT and Infrastructure, 3rd party vendors, documentation)
BIA output drives necessary recovery strategies (backup plan) for the following outage scenarios:
• Site, City, Country, People and Technology
RTO (Recovery Time Objective)Duration of time by which a business process / activity must be resumed
MOR (Minimum Operating Requirements)MOR (expressed as Head Count) to ensure recovery of operations to pre-defined service level
RPO (Recovery Point Objective)Duration of time of acceptable data loss
ProcessCluster of activities which produce a defined outcome. Unified processes and not multiple processes with similar name (eg. Budgeting, Payroll management, Event Management within Marketing)
Functions Is an entity or team which is typically characterized by a special area of knowledge or experience (HR org wide function, Payroll org wide function, Marketing function)
BIA is the process to predict and review the consequences of disruption of a business function / activities and gathers information needed to develop appropriate recovery strategies
Proven risk assessment methodology aligned to ISO 31000
BIA Concepts
BIA defines the priorities for recovery of critical operations
Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies.
Evaluate the potential business impact on a process not being performed:• Tangible Impacts
Financial Exposure• Intangible Impacts
Brand / Reputation Legal and Regulatory Customer Satisfaction
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Business Impact Analysis MethodologyComprehensive impact analysis to determine critical recovery requirements
• Structured and targeted focus reviews
• Classification of in-scope processes into criticality continuum
• Knowledge of recovery requirements
• Establishing internal & external dependencies
• Independent review with SMEs
• Alignment to organization’s strategic goals
Interviews, workshops, templates
Understand Assess Establish Document
• Process understanding
• Process Mapping
• SPOC Identification
• BIA workshop
• Questionnaire response
• Moderation and review
• Establish RTO and RPO
• Identify dependencies
• Identify resource requirements
• Document BIA workbook
• Prepare BIA report
• Management signoff
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Deliverables
# Deliverables
1 Kick off Presentation
2 BIA Walkthrough Presentation
3 BIA Template
4 BIA Summary Report
5 Closing Presentation
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
How can we help Customers? Facilitating information gathering and reviewing
relevant documentation
Developing process flow diagrams, mapping key internal and external dependencies
Determining recovery parameters and critical activities for business processes
Establishing the correct sequence of recovery activities
Determining the critical resource requirements
We’re certified within our profession, and we’re certified by our alliance partners
We’re experienced, we’re present, and we’re trusted
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
What Benefits Customers can get?
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Risk Assessment Service
ChallengesObjectives
Lack of knowledge of key continuity risks
Lack of visibility around potential threat sources to the business
Residual risks not identified and evaluated
Non standard mitigation plan against risks to their business
Inadequate / outdated risk assessment documentation
Holistic view of all business continuity-related risks
Minimize organizational losses
Ensure risks are within the organization’s risk appetite
Implement effective governance
Managing risk is about creating value out of uncertainty
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Risk Assessment MethodologyProven risk assessment methodology aligned to ISO 31000
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Key Terminologies
RA helps to identify: Key risks to the organization
Strength of existing controls
New controls for implementation
Effective governance structure
RA output drives necessary mitigation plans to be implemented
Key Terms Low Risks
The risk merits management awareness, but does not require remedial action
Medium Risks
Overall risk is manageable with some senior management intervention and remediation
High RisksRisk is significant and strong remediation is required
RA is a process that identifies risks, ranks them by likelihood + impact & implements plans to mitigate these risks
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Proven risk assessment methodology aligned to ISO 31000
Risk Concepts
Risk is the effect of uncertainty on objectives
Organizational objectives can be Strategic, Tactical or Operational
Effect : Deviation from the expected – Positive / Negative
Often expressed in terms of combination of the “Consequences” of an event and the “likelihood” of occurrence
• High / Medium risks can be treated, transferred, terminated or tolerated
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Risk Assessment Methodology
Interviews, workshops, templates
Understand Assess Mitigate Document
• Process understanding
• Process Mapping
• SPOC Identification
• Defining risk methodology and risk appetite
• Evaluating risks
• Computing residual risks
• Define mitigation plan
• Assign timelines and owners
• Prioritize mitigation actions
• Document risk register
• Prepare risk report
• Management signoff
• Clear deliverables
• Structured methodology
• Aligned to best practices
• Compliance to industry standard
• Independent review with SMEs
• Alignment to organization’s strategic goals
• Long term governance centric
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Deliverables
# Deliverables
1 Kick off Presentation
2 RA Walkthrough Presentation
3 RA Questionnaire
4 Risk Register
5 RA Summary Report
6 Closing Presentation
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
How can we help? Facilitating information gathering and reviewing
relevant documentation
Developing process flow diagrams, mapping key internal and external dependencies
Determining residual risk for business processes, sites and the organization
Establishing necessary mitigation plans for various identified risks in line with the risk appetite
Assisting in the closure and ongoing evaluation of continuity risks
We’re certified within our profession, and we’re certified by our alliance partners
We’re experienced, we’re present, and we’re trusted
What Benefits Customers can get?
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
HPE Value Differentiation
Our Value Differentiation
Support to Improve Service
Availability –Reduce Service
disruptions
Drive consistent customer
experience
Help to identify “Single Point of
Failures”
Assurance to reduce cost of
operations
Drive customer satisfaction –
enhance brand value, drive top line growth &
reduce cost of non performance
Help to provide Regulatory Compliance Assurance
© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.
Let’s hear your voice!
State 2 of the building blocks to achieve the BCDR
Open HPE Events App, and answer the following question to participate
Questions
Thank You
Mohamed [email protected] TSC Pursuit Saudi Lead