BYHUSSEIN K. ISINGOMA

CISA,CISM,CRISC,CIA,FCCA,CPA,MSC,BBS

AG. ASSISTANT COMMISSIONER,INTERNAL AUDIT

MINISTRY OF FINANCE,PLANNING AND ECONOMIC DEVELOPMENT

A PRAGMATIC AND EFFECTIVE APPROACH TO BUSINESS CONTINUITY AND RECOVERY PLANNING

July 2011

1

Presentation Plan

Introduction and Background

Understanding Business Continuity and Disaster Recovery Planning

The Need for BC/DR Planning and Management

BC/DR Planning Tasks/Processes

Achieving effective BC/DR Planning; Key Issues

BCP resiliency: Thinking Cloud ?

Conclusions

2

Introduction and Background

The World is still fresh with shock and memories of the recent events and impact of the march 2011 Japanese earthquake/tsunami that has had devastating destruction on infrastructure and mainly on the Fukushima Nuclear Plant

The Fukushima disaster is being termed as probably the biggest industrial catastrophe in history of mankind

The Nuclear plant was run by the Tokyo Electric Power Company(TEPCO) which supplied 1/3 of Japan’s electricity before and until the quake.

The seawall that was designed to mitigate the impact of a tsunami was only 5.7 metres high and all previous assessments had never put a possibility of the tsunami going beyond the 5.7 metres. It was wrong; the 03/11 tsunami rose to 15metres !!!!!! just 45 minutes after the earthquake

BBC news report and the Economist newspaper of 28th June 2011 reported a fall in share price of TEPCO by 85%, faced a prospect of $100 billion compensation, 23,000 died or were missing , 80,000 evacuated

The company’s Tsunami safety plan was only one page and had been last updated in 2001 The 9/11 World Trade Centre terrorist attack took out a total of 13,000 servers and

estimated cost of replacement of IT for the effected Securities firms stood at $ 3.2 billion. Some of the other disasters or near disasters occasioned by IT failures include; loss of 25

million records of the Child Benefit Recipients' in the UK, failure of the former Soviet Union Early warning System in 1983 that almost drew the World to the prospect of World War III.

3

Business Continuity/Disaster Recovery Planning

The purpose of Business Continuity is to ensure that core business functions continue with minimal or no interruption.

The objective is to ensure that the organization will survive and continue to generate revenue.

Disaster recovery is about rebuilding

Clients and investors alike are notorious for abandoning organizations during their rebuilding phases

It doesn’t take much effort to cause layoffs, fall in stock or share prices or even permanent shutdowns

The above realities lead us to the evolution from disaster recovery to business continuity

4

What do organizations or Businesses need ?What do organizations or Businesses need ?

News of the World !!!! Did they ever plan for the phone hacking scandal that led to its closure ???

News of the World !!!! Did they ever plan for the phone hacking scandal that led to its closure ???

In the aftermath of recent natural disasters, terrorism, equipment breakdown, businesses have recognized more than ever the need for ever to be prepared

Firms/companies are striving to meet demand for continuous service

The growth of e-commerce has pushed the need for systems availability expectations toward 24x365

It is important that a BCP adequately supported throughout the organization, embodies the strategic framework for a corporate culture to mitigate risks that might cause Business process failure Asset loss Regulatory liability Customer service failure Damage to reputation

Business survival necessitates planning for every type of business interruption.

The Need for BC/DR Planning and Management

5

Part of the Risk Response Strategies

Part of the Risk Response Strategies Risk Management Risk Management

BC/DR Planning: The Risk Management Perspective

6

BC/DR Planning Tasks/Processes

7

BC/DR Planning Enablers

8

Rationale for BC/DR Planning; the Business Value case

Value delivery. Coping with severe impacts to business arising out of

interruptions makes businesses more valuable, reliable and dependable

Survival. A well designed, exercised and maintained plan lies between a

business’s ability to continue as a going concern or going bust !

Risk Management maturity enhancement

Competitive advantage ; case for offshore soft ware development

initiatives/vendors

Staff and client confidence

Compliance

Insurance costs/premiums

Diagnosing organizational efficiency

9

Business Contingency Planning General Procedures

10

Disaster

1st Person on scene calls BC Manager

Call Recovery Management Team

Recovery Mgt Team report to Command Centre

Recovery Team report to Disaster Scene

Will Orgn. be out >

72hrs

Report status to Recovery Mgt Team

Inform COO/CTO

Invoke BCP?

Return to Normal Operations

Invoke BCP

NoYes

No

Yes

Call Business Continuity Coordinator

Inform HQ’s

Achieving effective BC/DR Planning; Key Issues

Top or Senior Management Sponsorship. Consensus ought to be established to: Guide which aspects of business to stay operational in case of disruptions The level of protection needed; risk appetite synchronize BC/DR plans with overall business strategy

Risk Analysis Risk identification should consider a wide range of possible scenarios. More often than not, BCP’s consider the most likely scenario’s Although focusing on big events is desirable, a narrow focus on risk could lead to potentially

disastrous events

Business Impact Analysis Organizations' have limited resources. There is need to focus on key processes that need to

be recovered in case of a disaster Focus on key business processes and critical dependencies BIA need to kept updated as the business changes or subject to periodic review Identify process specific Recovery time objectives(RTO’s) Prioritise recovery efforts based on agreed RTO’s Review service level agreements with service providers

11

Contd……

BC/DR organization Roles and responsibilities need to be defined BC/DR requires organization, coordination, and execution How and when is a disaster declared and by who ? Criteria for disaster definition and therefore declaration

Plan exercising/testing If a BC/DR plan is not tested, it could fail under the stress of real disaster The ability of the BCP to execute when a disaster is declared is key Annual testing of the plan is desirable Look at ways of integrating of testing into normal business operations Opportunity to test failover/redundancies

Scoping Over concentration on resumption of business at the expense of people and processes Personnel can be incredibly inventive and innovative as opposed to systems in times of

disaster People issues tend to be the more difficult of challenges to resolve during disaster

12

Contd…..

Funding of BC/DR activities Many organizations consider BC/DR as good but not essential Many plans are unfunded; posing further risks to the organization's business continuity There is need to develop formal business cases for BC/DR for funding Projects need to take into consideration continuity issues before implementation

Communication plan There is need to have a well documented communication plan Employees call trees, supplier and vendor contacts need to be constantly updated Consider multi vendor support for key means of communication

Media Management/Public relations Need to mitigate reputation loss through effective media management Clients and the public need reassurance and faith that the situation is not as bad as perceived

and is under control Its about winning the Hearts and Minds of stakeholders Staff members or employees need not give their own view of the situation to the media Prepare public statements in advance to prevent the media from turning the situation into a

Public relations nightmare

13

Contd….

Security The time the organization is most vulnerable to security threats is in time of disaster The propensity to ignore security procedures is very high Incident Management team and structure must include appropriate IT security staff to stem all

possible anomalies

Inventory Management Review inventory list continuously A comprehensive list of equipment needed for recovery and resumption activities should be

maintained

Role of insurance Need to ensure that insurance provisions address timely re-imbursements in case of losses

accruing from disaster Internal organizational policies need to address the accounting treatment of assets and related

depreciation Clear definition of scope covered under insurance is critical Insurance policies need to be constantly monitored so as to reflect the new realities, risks or

challenges to business

14

Complacency !

BCP requires constant updating

Business risks and related potential impacts are constantly changing

15

Amazon EC2 Amazon EC2 Lessons Lessons

Whilst it is easy to be critical of Amazon, for many who

have used its EC2 Cloud, the benefits to their performance,

business continuity and resilience have been significant.

Many have been able to achieve higher levels of uptime

and reduce costs whilst managing higher demands.

The April 2011 AWS (Amazon EC2) "failure" has probably

caused their customers to take a hard look at their

business continuity plans

Challenges related to security responsibility, information

residence, data ownership and confidentiality remain in

the cloud

A well structured service level agreement(SLA) that

includes the rights to audit is key in assisting the

organization in data mgt in stored, transit or processed

data in the cloud

Think through the going Cloud Business carefully

and thoroughly

Understand the infrastructure upon which the

cloud operates; do you need internal IT

resources ???

How robust are your cloud SLA’s as regards

compensation for downtime. Are they worth the

cost of the downtime?

Remember too well that :

You fate is in the hands of the service provider

whose fate is in the hands of …….?????

BCP resiliency: Thinking Cloud ?

16

Crossroads or an epitome of science?

Crossroads or an epitome of science? Balancing the Act !!! Balancing the Act !!!

The greatest joy of living is not in never falling but getting up every time you fall –

Nelson Mandela

BCP; Which Way to go ???

17

References: BCP standards

Control objective for information and related technology (CoBIT)

Federal Emergency Management Association(FEMA)

National Institute of Standards and Technology(NIST)

Disaster Recovery Institute International(DRII)

18

Conclusion!

BCP is about managing and mitigating the potential impact change

Remember !

‘When trying to predict future organizational environments, it seems that our only certainty is that things will change’

(Kotler,1998)

19