ibm bcrs “keeping businesses in business” · ibm business continuity and resiliency services...

IBM Business Continuity and Resiliency Services

IBM BCRS “Keeping Businesses in Business”Rick LindsayGlobal BDE, IBM BCRS


© 2010 IBM Corporation2

Rick Lindsay

Global Business Development Executive for IBM’s Business Continuity and Resilience Services line of business

Has worked with major companies across the globe on Business Resilience and Continuity issues since 1993

Dankse Bank (Denmark) Bancolombia (Colombia)Banco de Crédito del Perú Development Bank of SingaporeBradesco (Brasil) Bank of ChinaING (Benelux) Toronto Dominion Bank (Canada)Royal Bank of Canada CIBC (Canada)CIB (Egypt) Banque Misr (Egypt)Minera Yanacocha (Peru) American Airlines (US)

Co-developer of IBM Resilience Framework

Recipient of IBM Engagement Excellence Award

Thirty+ years with IBM, including six years IBM management experience at the local, national and global level

IBM Business Continuity & Resiliency Services

Analyze Risk,Plan & Prepare

Absorb, Contain,Mitigate

Adapt, Sustain,Restore

Risk & ResiliencyManagement



Breaking News – Forrester Rates IBM as Leader in Disaster Recovery Services!

Source: The Forrester Wave™: Disaster Recovery Services Providers, Q2 2010

https://www-935.ibm.com/services/us/bcrs/pdf/forrester2010wavedisasterrecoveryservicesprovidersq2-2010-sbalaourasrdines-6-9-2010.pdf



The recent “financial crisis” has caused many companies to become aggressive about reducing costs

Although much of the financial system has “stabilized”:

Credit remains scarce

Economic activity has slowed

Companies are cutting costs – or at least managing them very tightly

IT budgets declined about 8% in 2009 and are expected to be essentially flat in 2010 – close to 2005 levels (Gartner)

http://www.gartner.com/it/page.jsp?id=1283413



At the same time, the Range of Risks companies are facing is increasing

TerrorismCyber attacksBiological threatsEmployee sabotage

RegulationRegional and

international tensions

Increased global competitionInter-dependenciesDemand elasticity

PervasiveMore complexComponent failure

Natural phenomenaCatastrophic eventsWorkplace issues

Technological

Economic

Political

Environmental Social

Business Operations

An IBM CIO Study showed that 71% of CIOs ranked risk management and compliance as an area of focus for enhanced competitiveness.

“Of all the management tasks that were bungled in the period leading up to the global recession, none was bungled more egregiously than the management of risk.”HBR Spotlight on Risk: Managing Risk in the New World



Past events demonstrate the range of risks and the impacts they have

EventEvent DateDate ImpactImpact

Earthquake in Chile 2010 Estimated $30B+ in damages, over 200 lives lost

H1N1 (“Swine flu”) outbreak 2009 Affects company operations throughout Mexico (and other parts of the world)

Global financial crisis 20082009

Companies’, individuals’ and governments’ financial viability threatened

Unauthorized employee actions 2008 Single trader makes unauthorized transactions, costing Société Générale almost €5 Billion

Facilities disruptions 2006 - 2007

Repeated disruptions to banking services gets attention of country banking regulators (major European Bank)

“Routine programming update” 2004 Disrupts major NA bank’s operations for 4-5 days

“IT Breakdown” 2003 Halts IT-based bank services for several days (major Nordic Bank)

Malicious computer worm hits 13,000 ATMs at B of A 2003 Bank unable to process customer transactions and impacted

Internet traffic worldwide

Competitor goes on strike 1997 Distribution company’s operations overwhelmed and unable to capitalize on fleeting market opportunity

Product tampering 1982 Tylenol scare nearly dooms Johnson & Johnson



While “catastrophic level” disruptions make headlines, smaller “operational level” disruptions can also have a significant impact

A report from the Basel Committee analyzed reported Loss Data from 63 financial institutions:

Average of 586 loss events over €10,000 in a single year

Average total loss of €92 million per institution

Nearly 98% of these incidents were associated with losses of under €500,000

Almost two out of three (62 percent) enterprises with revenues over US$5 billion have encountered material risk events in the last three years. Of those, nearly half (42 percent) were not well prepared for it.

“Balancing Risks and Performance with an Integrated Finance Organization” (The Global CFO Study 2008 Executive Summary), IBM Institute for Business Values



Collectively, these “non-catastrophic” disruptions can have “boardroom-level” impacts on company revenue.

First estimate - simple downtime calculationScheduled hours 8320Downtime for average customer 81.75Yearly ABC Americas Revenue 1,000,000,000$ Revenue per scheduled hour of operation 120,192.31$ Annual revenue impact 9,826,007.33$

Second Estimate - split peak hours and non-peak hoursAssumed number of peak hours/day 12% of revenue from peak hours 85%% of outage hours which occur during peak hours 80%Revenue loss from peak time outages 13,363,369.96$ Revenue loss from off-peak time outages 589,560.44$ Annual revenue impact 13,952,930.40$

Third Estimate - customers don't return to ABC immediately after service is restored

CASE 1: 50% of time customer switches back to ABC as soon as ABC is back upCASE 2: 50% of time customer does not switch back from competitor for 24 hoursAssume customer switches to Competitor 1 or Competitor 2 randomly

Lost revenue from peak time lost 110,879,853.48$ Lost revenue from off-peak time lost 4,891,758.24$ Annual revenue impact 115,771,611.72$

Sanitized example from prior client (numbers are “real”)

About 99% availability



These dynamics are changing how companies think about and manage “disaster recovery”

Risk responsibility

Risk exposure

Source: Economist Intelligence Unit, Business resilience: Ensuring continuity in a volatile environment, 2007.



Costs of Business Continuity solutions can increase dramatically as the level of protection increases

Business Continuity Costs

Costsof Mitigation

Solutions

DR solutions

IT Resilience

Architecture

IT Service Delivery

Topology

People and Processes

Work Place Strategy

Data and Information

Protection

Lower HigherContinuity Capabilities

Types ofMitigation Solutions

Higher



However, at any given level of protection, quantifiable risks remain

Loss Avoidance

Higher Capital

Allocation Requirements

Lower Credit Ratings

Fine and Penalty

Avoidance

Maintenance of

Customer Confidence

Maintain Social

Responsibility

Cost Avoidance


Costs from Residual Risks

Costsof Mitigation

Solutions


Tota

l Cos

ts A

ssoc

iate

d w

ith R

isk

and

Miti

gatio

nPotential Risk Cost

Elements


Higher

DR solutions

IT Resilience

Architecture

IT Service Delivery

Topology


Work Place Strategy


Protection



As capabilities increase, the costs of residual risk decrease

Loss Avoidance

Higher Capital



Fine and Penalty

Avoidance

Maintenance of

Customer Confidence

Maintain Social

Responsibility

Cost Avoidance



Costsof Mitigation

Solutions


Tota

l Cos

ts A

ssoc

iate

d w

ith R

isk

and

Miti

gatio


Elements


Higher

DR solutions

IT Resilience

Architecture

IT Service Delivery

Topology


Work Place Strategy


Protection



Costs of Business Continuity solutions must be balanced against the protection they provide to the company

Loss Avoidance

Higher Capital



Fine and Penalty

Avoidance

Maintenance of

Customer Confidence

Maintain Social

Responsibility

Cost Avoidance



Costsof Mitigation

Solutions


Tota

l Cos

ts A

ssoc

iate

d w

ith R

isk

and

Miti

gatio


Elements


Higher

DR solutions

IT Resilience

Architecture

IT Service Delivery

Topology


Work Place Strategy


Protection

Optimum Resilience Risk

Balance



The economics of Business Continuity continue to change, making Business Continuity Optimization an ongoing process

Tota

l Cos

ts

Costof mitigation

Lossesdue to

disruption

OptimumInvestment

Past

Tota

l Cos

tsCost

of mitigation

Lossesdue to

disruption

OptimumInvestment

Now/Future

ConsequencesBrand ImageLegalBusiness StrategyEnterprise Demise

Cost of disruptionLost RevenueFinesLost ProductivityWasted Goods

Continuity CapabilitiesLower Higher

Continuity CapabilitiesLower Higher



Business requirements have evolved from “recovery” following a disruption to “providing uninterrupted operations”

Regulatory Pressures Online Computing Availability Requirements

The Changing DynamicsRecovery Times Risk Profiles Approach to Planning Technology Capability

Business RecoveryRecovering business operations following an interruption

Business ResilienceMaintaining business operations/viability through all kinds of stresses and strains … and opportunities

Business Continuity Maintaining business capabilities through disruptive events

Disaster Recovery IT Recovery following some kind of “catastrophic” failure

Past Present/Future



Manage

Set Objectives

Design

Deploy

Plan

Implem

ent

ControlMonitor

Evaluate

AnalyzeResilience Lifecycle

Ass

ess

Companies need a continuous improvement methodology that focuses on the resilience lifecycle to help reduce risk, improve governance and enable compliance.

Risk Mitigation

Regulatory Compliance

Corporate Governance

Business Imperatives

Inputs: Business objectives, goals, priorities, policies & current capabilities

Outputs: Reduced Risk, Improved governance and enabled compliance



To begin, complete a thorough analysis of potential risks and the current ability of the company to mitigate them

Manage

Set Objectives

Design

Deploy

Plan

ControlMonitor

Evaluate


Ass

ess

Assess Analyze current & potential risks

Establish a risk profile By business location

By line of business function

By business process

Determine impact of event Financial

Opportunity

Reputation

Analyze capabilities for mitigation

Define customized risk framework IBM Business Resilience Framework

Identify risk areas for further analysis

Assess maturity of mitigation capabilities Basic

Managed

Predictive

Adaptive

Resilient

Implem

ent



Next, set the objectives for the reach and range of what risks you may need to mitigate.

Manage

Set Objectives

Design

Deploy

Plan

ControlMonitor

Evaluate


Ass

ess

Plan

Setting objectives for risk mitigation or enhancement

Define the scope for the risk strategy Extended enterprise

Enterprise-wide

Line of business

Business process

Business system

Select risks to be mitigated or enhanced Procedural

Technical

Organizational

Economical

Financial

Extra-structural

Infra-structural

Geological

Environmental

Societal

Governmental

Implem

ent



Implement a strategy & architecture that protects critical information and ensures Operational Resilience.

Implement

Design for Operational Resilience

Conceptual design

Business and Financial Justification -Concurrence among business executives and explanation to internal and external audit groups

Governance / Authority / Policies -Communication, mission, discipline

Systems Management Disciplines - Problem, change, configuration, etc.

Security- Physical and logical

Application & Data - Data protection, backup, restart, synchronization

Program Execution - Reporting, roles and responsibilities, public relations, business integration, plan invocation

Facilities – Location & management

Solution design

Goals and guiding principles

Functional, logical & technical components

Benefits, solution costs & implementation plan

Deployment of Operational Resilience

Protection of critical information

Recoverability of business functions

Manage

Set Objectives

Design

Deploy

Plan

ControlMonitor

Evaluate


Ass

ess

Implem

ent



Ongoing management is required to ensure continued operational resilience through control and monitoring

Manage

Control negative risk while enhancing positive risk

Ongoing management of risks before, during and after an event

Regular testing to ensure preparedness

Enforcement of governance policies & procedures

Training to ensure all employees understand their roles and responsibilities

Proactive information & data protection

Accurate communications at all times

Access to critical information when needed

Monitoring current conditions to detect and respond to risks

Proactive negative and positive risk response

Focus on continuous improvement of risk response strategies

Timely reporting of exceptions, measurements and metrics

Root cause analysis Manage

Set Objectives

Design

Deploy

Plan

ControlMonitor

Evaluate


Ass

ess

Implem

ent



The resilience lifecycle provides for a continuous improvement process to ensure currency of the Operational Resilience strategy and architecture.

Manage

Set Objectives

Design

Deploy

Plan

ControlMonitor

Evaluate


Ass

ess

Assess Evaluate performance

Utilize Resilient Project Office

Availability

Recovery

Security

Evaluate resilience performance

Review metrics and performance gaps

Review business and IT changes

Assess post incident data

Perform root cause analysis

Reporting on performance

Produce daily, weekly, monthly, quarterly, yearly reports for management

Produce appropriate reports for corporate, industry or government auditors

Resilience Dashboard

Implem

ent



IBM Business Continuity & Resiliency Services provides services to help realize the strategy and architecture for Operational Resilience

Recovery Services

Protection Services

IT Availability Business Continuity

IBM solutions for enabling IT governance and risk management

Manage

Ass

ess

Set Objectives

Design

Deploy

Plan

Implem

ent

ControlMonitor

Evaluate


Work Area IT Crisis

Response

Consulting Services

Access & Plan Design Implement

Managed Services

Remote Onsite Custom Archive &Data Data Data Retention

BC

RS

Con

tinuu

m o

f Ser

vice

s



Although our “roots” are in IT Disaster Recovery, BCRS offers a variety of services to “keep businesses in business”

Traditional Data Center recovery

Services to allow a customer to run their IT operations from an IBM managed location, using client or IBM owned equipment

Work Area Recovery

Equipped office space for customer workgroups to use when their normal facilities are not available

Business Continuity/Resiliency consulting services

Evaluate client’s risks, impacts and capabilities

Define strategies to cost-effectively mitigate risks

Design infrastructures and services to implement those strategies

Establish management programs to sustain those capabilities over time

Managed data backups

Managed service to backup customer data, at either client premises or IBM premises

Centralized data or distributed data



IBM Disaster Recovery Services

Work area recovery

IT recovery

Crisis management and response

Delivery

Consultantsand tools

Data center facilities

Workplaces for critical business

We provide a portfolio of services to enable new levels of Resilience, from consulting to managed services

Services

IBM Resiliency Consulting Services

Assessment and planning

Design

Implementation

Program management

IBM Information Protection Services

Remote data protection

Onsite data protection

Custom data protection management

Data retention and archival

IBM Managed Resiliency Services

Managed continuity

Managed availability



Operational Availability Improvement: US-based financial services company

Challenge– Stabilize and improve the customer services systems used by over 12,000 customer service

representatives at eight locations to support over 50 million customers– “We or our successors will solve this problem” (CIO to her VPs)

Initial Approach– Availability Management consulting methodology

Follow-on solutions– Established rigorous systems management processes to improve system stability and availability – Implemented process and toolsets for managing performance and capacity– Developed architecture and roadmap for implementation of security access controls– Several technology projects – product sales and implementation assistanceClient Benefits– Improved customer satisfaction by reducing impact of customer service disruptions by 57 percent– Improved availability of customer service personnel and systems– Enhanced overall risk management posture



DR Strategy: European arm of global financial services company

Challenge– Develop and implement tactical and strategic DR solutions to comply with regulatory

requirements and ensure business continuity

Initial Approach• Assessed current status of client’s initiatives and defined 3-5 year roadmap to achieve client goals

Follow-on Solutions Comprehensive and integrated set of consulting services, including:

Recovery Architecture Design

Business Continuity Governance

DR Testing Framework

DC DR Framework Design

Client Benefits– Establishing a “survival mode” in the event that a disaster occurs before client is able to establish

a resilient environment– Securing approval for the strategic approach from regulatory agencies



Managed Continuity: South American Bank

Challenge– Develop long term strategy for addressing business continuity requirements imposed by both

internal and external requirements

Initial Approach• Developed comprehensive Data Center and Call Center strategy to provide protection against both local and regional risks

Follow-on Solutions• Comprehensive “Out of Region” recovery solution (in Hortolândia, Brasil)

Client Benefits– Establishing a “survival mode” in case of a “regional” catastrophe– Satisfying internal and external requirements for recoverability



Information Protection: Multinational Market Research Company

Challenge– Only three FTEs to manage daily backups of 3TB across 37 branch offices– Criticality of 28 remote Exchange servers

Solution– Remote data protection for messaging and file systems

Benefits– Increased data availability and security– Full audit trail visibility to meet regulatory compliance requirements– Predictable costs through pay-as-you-go service model

“With this solution, we are assured that all data from our remote branches is backed up and easily restorable. And the centralized, Web-based management allows my staff to cost effectively fulfill the oversight and audit responsibilities mandated by Sarbanes Oxley and other regulations.”

—IT Director



With virtually unmatched global presence, IBM BCRS can serve the needs of any client

40 years of experience

Over 10,000 clients

> 400 instances of open-systems support (IBM, Sun, Cisco, HP…)

>76,000 enterprise server MIPS

>700 enterprise server terabytes

> 425 IBM System p™ servers

> 350 IBM System i™ servers

5,000,000 square feet of equipped floor space for workplace replacement

40,000 seats

100% recovery record

1600 professionals 154 resiliency centers 55 countries



Thank You!

ibm bcrs “keeping businesses in business” · ibm business continuity and resiliency services...

Documents