business continuity: best practices and challenges
TRANSCRIPT
Middle East Annual Conference 2014
Business continuity: Best practices and challenges
Guy Peterson
Senior Assurance and Resilience Expert Booz Allen Hamilton
This document contains Booz Allen Hamilton Inc. proprietary and confidential business information.
Ready for what’s next.
Guy Peterson
Abu Dhabi
30 April, 2014
BCM Trends, Best Practices and Challenges
3
Table of contents
• How ‘Resilient’ is your own organization?
• Today’s threat environment
• Why is business continuity important
• How do we successfully implement a business continuity program
• Key Considerations when implementing regulation and/or setting up a new BCM
program
• Questions
4
How ‘Resilient’ is your organization ?
1. Do you have a contingency planning framework adapted to your
Organization and associated Operating model?
2. Are your plans driven from the ‘top down’, and aligned with strategic
needs?
3. Is your contingency planning coordinated across all departments
within the organization?
4. Do you conduct ‘Enterprise’ wide Risk & Business Impact Analysis?
5. Do you regularly test and exercise your plans?
6. Do you capture ‘lessons learnt’ as part of a continuous improvement
process?
… If you answered NO to any of these questions your organization may
not be best positioned to respond to business disruption or disaster
5
Jul
1976
Risk management as a formal process has undergone substantial
evolution over a relatively short period of time …
Hurricane &
flood
destroys
Galveston,
Texas.
Jan
1900
Dec
1920
Sep
1921
1920 - 1970
BP forms
“Tanker
Insurance
Company LTD”
“Risk, Uncertainty
& Profits” published
by Frank Knight
Period where Risk
was largely shaped
by Financial
Services industry
1975 - 1995
Period where Risk
Management was
heavily adopted
into broader
business decision
making
“The Risk
Management
Revolution”
published by
Fortune Magazine
First Risk
Management
Standard Published
“AS/NZS
4360:1995”
Sep
1995
1995 –
20xx
Period where Risk
Management
undergoes
significant change
to adapt to new
demands
6
… and Risk continues to evolve in response to a constantly changing
threat environment
Enterprise perspective
Risk governance in place, and
incorporated across
organization
Risk imbedded into decision
making processes and
organizational culture
Cross functional
Risk workshops used to provide
degree of integration in risk
treatment
Risk Reporting performed;
however, focus is on
compliance Internally looking
Focused on already realized
issues or known risks
Very tactical
Business Unit Location/Regi
on
Enterprise
Risk- driven
Scope
Event-
driven
Audit- driven
Ap
pro
ach
Reactive
1
Integrated
2
Adaptive
3
Labour
Strike
Terrorist
Attack
Natural
Disaster
Facility
Incident
Cyber
Attack
Pandemic
7
This highly dynamic threat environment creates many challenges for
security professionals in addressing enterprise risk exposure …
LOB requirements
& deliverables
Risk / compliance
roles
Governance
committees
Risk reviews and
events
Charters, rules &
responsibilities
Meetings, agendas
& participants
Timelines
Operational Risk
Compliance
Physical Security
Market Risk
Cyber Security
Personnel Security
Credit Risk
Legal & Contractual
Types of Risk Management
Functions Threats Challenges
• What are the major
risks, issues and
controls?
• Where is governance
and oversight
exercised?
• What key items are
driving expense
growth?
• What redundancies
exist?
• What gaps exists?
• How can the current
state be improved?
• How can risk and
functionality be
effectively balanced?
• How do we break down
the functional siloes
that exist across
different business
lines?
Labour
Strike
Terrorist
Attack
Natural
Disaster
Facility
Incident
Cyber
Attack
Pandemic
8
Today’s threat environment is further complicated through our
dependence on technology which has created many opportunities for
malicious attacks Most organizations are only
prepared to handle a fraction of
security concerns Risks
Intellectual Property Theft
Government and military
strategy compromised
Monetary Losses
Operational Disruptions
Theft of classified
information
National security at risk
Media Publicity
Regulator Intervention
Loss of Public
Confidence
Vulnerabilities
Hyper-Interconnectivity
of Information Systems
Rapid Technological
Infrastructure Expansion
Hard to Define
Organizational
Perimeters
Unprepared Workforce
and Culture
Dissimilar Security
Models Applied Across
the Enterprise
Misaligned Policies
Known
Threat
Actors
Insiders
Criminals
State
Actors
Hacktivists
Affinity
Groups
Representati
ve Attacks
felt in Middle
East
Gauss (2012) One of the most sophisticated
pieces of malware yet
designed to monitor bank
account information and the
money flow for various Middle
Eastern banks.
Shamoon (2012) Saudi Aramco, the worlds
largest oil producer, was
targeted by hackers for the
government’s supposed
support of “oppressive
measures” in the Middle East.
RasGas Attack (2012) A highly public attack
against one of our most
valuable national assets that
resulted in widespread loss
of information services
Mahdi (2012) Trojan espionage attack
designed to target Middle
Eastern critical infrastructure
firms, engineering students,
financial services firms, and
government embassies.
9
The risk management programs of many organization’s have not kept
pace with the changes in business complexity …
Centralized Distributed (Decentralized)
Networked
“Adaptive”
Enterprise Resilience
“Integrated”
Risk Management “Reactive”
Risk Mitigation
1990s 2000-10 2010 +
Business Environment Complexity
Largely independent and autonomous
business environments
Point of Presence (PoP) type
operating model serving a locality or
region
Clearly defined boundaries in terms
of markets, areas of operation, etc
Regional business environments
PoP with regional governance
structures
Boundaries not always clearly defined
Global business environments
PoP with global governance
structures
Boundaries no longer apply, or are
not easily distinguishable
10
Traditional ‘Stovepipe’ approaches to managing security fail to
adequately mitigate Risk in today’s highly dynamic business
environments
IT Security
Incident
Management Physical
Security
Typical Organisational ‘Stovepipes’
Limitations of Traditional Model
Limited awareness of operating conditions,
risk exposures and critical gaps across the
organisation – focus on individual silos
Responsibilities and activities are dispersed
across various functions with potential for
overlap or duplication
No clear accountability exists for ensuring the
continuity of the business
No clear performance metrics exist
Difficulty in linking organisational strategy to
multiple similar functions
Investment decisions are not optimised across
the enterprise
Management and the Executive Boards have
limited transparency into incident, recovery
and continuity management
Operation
s Center
IT Security
Information
Security
IT Disaster
Recovery
IT Disaster
Recovery
Critical
Infra.
Protection
Incident
Response
Continuity
of
Operations
Physical
Security
Risk
Management
OHS
Personne
l Safety
Operational
Risks
Project
Risks
Strategic
Risks
Early
Warning
Personnel
Security
Personnel
Security
Incident
Command
Framewor
k
Crisis
Comms
11
The solution is to take a broad Enterprise wide program that
consolidates the full breadth of available resources in managing Risk
Optimized Integrated Siloed
ICT Security
DRP
Emergency Management
Physical Security
Personnel Security
BCP
Crisis Management
Operational Risk
Strategic Risk
Incident Response
Incident Response
BCM Enterprise Security
Enterprise\ Risk
Management
Incident Response Enterprise
Security BCM Enterprise\
Risk Management
Enterprise
Resilience
• Little or no functional
fragmentation
• Top-down management
approach
• Highly dynamic response to
risk
• Resilient security posture
• Some levels of functional
fragmentation
• Decentralized management
• Improved ability to respond to
risk
• High levels of functional
fragmentation
• Complex management
processes
• Slow reaction time to risk
• Promotes dysfunctional
behavior
12
Business Continuity is most effectively implemented using ‘business
strategy’ principles to position the program for success
Strategy
Mission &
Vision
Views &
Perspectives
Priorities & Imperatives
through Goals
Risk Assessment
Implementation
Implementation Roadmap Busines
s Need
Engagement of Executive Staff Develop Contingency plans Integrate situational awareness capability
Establish cross-functional capability Enhance response capabilities Facilitate dynamic Risk response capability
Engage appropriate resources Performance Measurement Mature and test the program
Release policy and guidance Establish a monitor and update capability
Risk & Business Impact Analysis
Implement Enterprise Risk Management framework
Action Plan(s)
Framework
Corporate Strategy
Key Earnings Drivers
Essential Processes, Technology
& Organizations
Risks & Vulnerabilities
CLIENT Dependencies
Additional Insights
Capturing perspectives through:
Stakeholder Management;
Purpose Management; and
Issue Management
1 2
3
4
5
6
Options
The
Enterprise
Resilience
Program will
…
13
An appropriate framework needs to be developed to manage the
business continuity planning process in context of unique
organizational requirements
Enterprise Risk Management
Strategic Risk
Operational Risk
Security Risk
Integrated Security
Physical Security
Information Security
Personnel Security
Response Management
Situational Awareness
Incident Response
Test & Exercise
Contingency Planning
Operations (COOP);
Processes (BCP);
Functional (DRP, etc)
Risk & Business Impact Analysis
(BIA) and Management
Governance
Management, Capability & Preparedness
1
2 3
4 5
6
7
Project Planning
Business Impact Analysis
Strategy Development
Plan Developmen
t
Awareness &
Training
Testing & Exercising
Maintenance & Updating
Risk Assessment & Analysis
The Plan
The Business Continuity Planning
Process
Source: Disaster Recovery Institute International (DRII)
14
A gap analysis is used to develop options, and a single ‘go forward’
strategy is recommended to implement the business continuity
program
Integrated Security
Response
Management
Contingency Planning
Business Impact Analysis
Optimised
Capability
No
Capability
Risk Management
– +
– +
– +
– +
– +
Resilience Maturity Scale
Management, Capability &
Preparedness
Governance
– +
– +
1
2
3
4
5
6
7
Desired
Maturity
Siloed
Capability Integrated
Capability
Limited
Capability
Current State
Capability
Capability Gap
15
The Strategy provides clear guidance across the organization to
ensure the program is successfully implemented
Engagement of Executive Staff
Develop Contingency plans
Integrate situational awareness capability
Establish cross-functional capability
Enhance response capabilities
Facilitate dynamic Risk response capability
Engage appropriate resources
Performance Measurement
Mature and test the program
Release policy and guidance
Establish a monitor and update capability
Risk & Business Impact Analysis
Implement Enterprise Risk Management framework
Foundational:
Establishing the necessary
capability to build the program
Maturing:
Integrating the program and
introducing functional capability
Optimized:
Transformation to ‘Best
Practice’ capability
Phase 1
x – x Months
Phase 2
x - x Months
Phase 3
x – x Months
Wo
rk s
tre
am
s
16
Each strategic activity is supported by an ‘Action Plan’ to establish
clear direction, expected performance measures and accountability
Strategy Supporting Initiatives
Phase in
Which
Initiatives
Commence
Capability Uplift
Engagement of
Executive Staff
Assign appropriate
ownership and
accountabilities
Establish defined roles and
responsibilities
Phase 1 Program established at enterprise
level
Establish cross-
functional
capability
Establish appropriate
governance framework
through forums, committees,
R&R, etc
Develop initial team makeup
requirements for an
Emergency Operations
Centre, covering a range of
business disruptions
Phase 1
Enterprise wide pragmatic view of
BCM capabilities
Engage
appropriate
resources
Establish BCM team with
sufficient resources to
undertake qualitative
analysis of program
Phase 1
Resources in place to apply
qualitative assessment of program
content
Release policy and
guidance
Formalise information flow
between existing forums
Build on current capabilities
through increasing
collaboration across
program capability areas
Build capabilities focused on
integrating BCM domains
(Risk, Security etc)
Initiate Training and
Awareness Program
Develop Contingency
Planning Policy and
Guidance
Phase 1
Alignment around common
objectives
Action Plan
…
Engagement
of Executive
staff
Action Plan
…
Establish
cross
functional
capability
Action Plan
…
Engage
appropriate
resources
Action Plan
…
Release
Policy &
Guidance
17
Ultimately the ‘vision’ is to position the organization to respond to an event
in a ‘planned’ way, with ‘managed’ levels of business disruption
Source: Booz Allen
Lifecycle Event Management Phases and Activity Streams
Following a crisis, an “Adaptive”
program is positioned to more
effectively respond to a given
event within required timelines
while managing cost /benefit
tradeoffs
Approaches to Crisis Management
18
Business Continuity Management is standardized both internationally &
nationally, and becoming heavily regulated at a federal and/or industry levels
International
National
Abu Dhabi
• International Organization for Standardisation (ISO) 22301:2012 Societal
Security – Business Continuity Management Systems – Requirements.
• ISO31000:2009 Risk management – Principles and guidelines
• ISO27001:2013 Information Security Management
• ISO27031:2011 ICT Readiness for Business Continuity
• Business Continuity Management Standard AE/HSC/7000:2012 Version
(1) issued by the National Emergency Crisis and Disasters Management
Authority of the Higher National Security Council of the United Arab
Emirates; and,
• Environment, Health & Safety (EHS) – currently under development
• NESA – currently under development
• CICPA – Regulations & Requirements for security permits
• Sector/Industry regulators i.e. Telecommunications Regulatory Authority
(TRA) • Various Laws & Regulations
• ADSIC Information Security Policy & Standards
• Sector/Industry regulators i.e. Regulation & Supervision Bureau (RSB)
19
In context of a regulatory environment and/or a new BCM program,
there are many valuable lessons learned to be considered …
• The ‘processes’ described in standards should only be seen as minimal considerations.
Standards are intentionally written at a high level to be broadly applicable to all organizations! Relevant
to the “AE-HSC-7000 Standard”, the concepts described in the standard must be adapted to
organizational context to be successfully implemented!
• Don’t only seek to ‘comply’ with regulation – taking a minimal approach to business continuity may
pass audit requirements; however, is unlikely to address risk appropriately.
• Tradeoffs need to be understood to make informed decisions
—Amount of analysis required to provide meaningful data
—Analysis methodologies
– Risk Management : All Hazards vs. detailed threat analysis
– BIA : Detailed business process mapping vs. Value Chains, etc
—Return on Investment (ROI) needs to balance investment decisions into risk control
20
Enterprise resilience is a reality for many organizations that choose
to invest in business continuity
• Executive Support is mandatory to success!;
• A strong culture of Responsibility and Accountability must be imbedded over time.
• Upfront investment into Strategy development will ensure the program is adapted to the
organization;
• Defining accurate strategic objectives;
• Structures and Frameworks;
• Performance Monitoring;
• Assessing Options, tradeoffs, etc.;
• Skills and Expertise;
• Having the right people available throughout different stages of implementation
• Alignment of other activities and projects;
• Understanding the environment, and simplifying wherever possible
21
Questions ?
Guy Peterson Senior Associate
Booz Allen Hamilton
Office: +971.2.691.3629;
UAE Mobile: +971.50.558.6314;