ibm bcrs “keeping businesses in business” · ibm business continuity and resiliency services...
TRANSCRIPT
IBM Business Continuity and Resiliency Services
IBM BCRS “Keeping Businesses in Business”Rick LindsayGlobal BDE, IBM BCRS
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation2
Rick Lindsay
Global Business Development Executive for IBM’s Business Continuity and Resilience Services line of business
Has worked with major companies across the globe on Business Resilience and Continuity issues since 1993
Dankse Bank (Denmark) Bancolombia (Colombia)Banco de Crédito del Perú Development Bank of SingaporeBradesco (Brasil) Bank of ChinaING (Benelux) Toronto Dominion Bank (Canada)Royal Bank of Canada CIBC (Canada)CIB (Egypt) Banque Misr (Egypt)Minera Yanacocha (Peru) American Airlines (US)
Co-developer of IBM Resilience Framework
Recipient of IBM Engagement Excellence Award
Thirty+ years with IBM, including six years IBM management experience at the local, national and global level
IBM Business Continuity & Resiliency Services
Analyze Risk,Plan & Prepare
Absorb, Contain,Mitigate
Adapt, Sustain,Restore
Risk & ResiliencyManagement
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation3
Breaking News – Forrester Rates IBM as Leader in Disaster Recovery Services!
Source: The Forrester Wave™: Disaster Recovery Services Providers, Q2 2010
https://www-935.ibm.com/services/us/bcrs/pdf/forrester2010wavedisasterrecoveryservicesprovidersq2-2010-sbalaourasrdines-6-9-2010.pdf
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation4
The recent “financial crisis” has caused many companies to become aggressive about reducing costs
Although much of the financial system has “stabilized”:
Credit remains scarce
Economic activity has slowed
Companies are cutting costs – or at least managing them very tightly
IT budgets declined about 8% in 2009 and are expected to be essentially flat in 2010 – close to 2005 levels (Gartner)
http://www.gartner.com/it/page.jsp?id=1283413
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation5
At the same time, the Range of Risks companies are facing is increasing
TerrorismCyber attacksBiological threatsEmployee sabotage
RegulationRegional and
international tensions
Increased global competitionInter-dependenciesDemand elasticity
PervasiveMore complexComponent failure
Natural phenomenaCatastrophic eventsWorkplace issues
Technological
Economic
Political
Environmental Social
Business Operations
An IBM CIO Study showed that 71% of CIOs ranked risk management and compliance as an area of focus for enhanced competitiveness.
“Of all the management tasks that were bungled in the period leading up to the global recession, none was bungled more egregiously than the management of risk.”HBR Spotlight on Risk: Managing Risk in the New World
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation6
Past events demonstrate the range of risks and the impacts they have
EventEvent DateDate ImpactImpact
Earthquake in Chile 2010 Estimated $30B+ in damages, over 200 lives lost
H1N1 (“Swine flu”) outbreak 2009 Affects company operations throughout Mexico (and other parts of the world)
Global financial crisis 20082009
Companies’, individuals’ and governments’ financial viability threatened
Unauthorized employee actions 2008 Single trader makes unauthorized transactions, costing Société Générale almost €5 Billion
Facilities disruptions 2006 - 2007
Repeated disruptions to banking services gets attention of country banking regulators (major European Bank)
“Routine programming update” 2004 Disrupts major NA bank’s operations for 4-5 days
“IT Breakdown” 2003 Halts IT-based bank services for several days (major Nordic Bank)
Malicious computer worm hits 13,000 ATMs at B of A 2003 Bank unable to process customer transactions and impacted
Internet traffic worldwide
Competitor goes on strike 1997 Distribution company’s operations overwhelmed and unable to capitalize on fleeting market opportunity
Product tampering 1982 Tylenol scare nearly dooms Johnson & Johnson
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation7
While “catastrophic level” disruptions make headlines, smaller “operational level” disruptions can also have a significant impact
A report from the Basel Committee analyzed reported Loss Data from 63 financial institutions:
Average of 586 loss events over €10,000 in a single year
Average total loss of €92 million per institution
Nearly 98% of these incidents were associated with losses of under €500,000
Almost two out of three (62 percent) enterprises with revenues over US$5 billion have encountered material risk events in the last three years. Of those, nearly half (42 percent) were not well prepared for it.
“Balancing Risks and Performance with an Integrated Finance Organization” (The Global CFO Study 2008 Executive Summary), IBM Institute for Business Values
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation8
Collectively, these “non-catastrophic” disruptions can have “boardroom-level” impacts on company revenue.
First estimate - simple downtime calculationScheduled hours 8320Downtime for average customer 81.75Yearly ABC Americas Revenue 1,000,000,000$ Revenue per scheduled hour of operation 120,192.31$ Annual revenue impact 9,826,007.33$
Second Estimate - split peak hours and non-peak hoursAssumed number of peak hours/day 12% of revenue from peak hours 85%% of outage hours which occur during peak hours 80%Revenue loss from peak time outages 13,363,369.96$ Revenue loss from off-peak time outages 589,560.44$ Annual revenue impact 13,952,930.40$
Third Estimate - customers don't return to ABC immediately after service is restored
CASE 1: 50% of time customer switches back to ABC as soon as ABC is back upCASE 2: 50% of time customer does not switch back from competitor for 24 hoursAssume customer switches to Competitor 1 or Competitor 2 randomly
Lost revenue from peak time lost 110,879,853.48$ Lost revenue from off-peak time lost 4,891,758.24$ Annual revenue impact 115,771,611.72$
Sanitized example from prior client (numbers are “real”)
About 99% availability
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation9
These dynamics are changing how companies think about and manage “disaster recovery”
Risk responsibility
Risk exposure
Source: Economist Intelligence Unit, Business resilience: Ensuring continuity in a volatile environment, 2007.
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation10
Costs of Business Continuity solutions can increase dramatically as the level of protection increases
Business Continuity Costs
Costsof Mitigation
Solutions
DR solutions
IT Resilience
Architecture
IT Service Delivery
Topology
People and Processes
Work Place Strategy
Data and Information
Protection
Lower HigherContinuity Capabilities
Types ofMitigation Solutions
Higher
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation11
However, at any given level of protection, quantifiable risks remain
Loss Avoidance
Higher Capital
Allocation Requirements
Lower Credit Ratings
Fine and Penalty
Avoidance
Maintenance of
Customer Confidence
Maintain Social
Responsibility
Cost Avoidance
Business Continuity Costs
Costs from Residual Risks
Costsof Mitigation
Solutions
Lower HigherContinuity Capabilities
Tota
l Cos
ts A
ssoc
iate
d w
ith R
isk
and
Miti
gatio
nPotential Risk Cost
Elements
Types ofMitigation Solutions
Higher
DR solutions
IT Resilience
Architecture
IT Service Delivery
Topology
People and Processes
Work Place Strategy
Data and Information
Protection
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation12
As capabilities increase, the costs of residual risk decrease
Loss Avoidance
Higher Capital
Allocation Requirements
Lower Credit Ratings
Fine and Penalty
Avoidance
Maintenance of
Customer Confidence
Maintain Social
Responsibility
Cost Avoidance
Business Continuity Costs
Costs from Residual Risks
Costsof Mitigation
Solutions
Lower HigherContinuity Capabilities
Tota
l Cos
ts A
ssoc
iate
d w
ith R
isk
and
Miti
gatio
nPotential Risk Cost
Elements
Types ofMitigation Solutions
Higher
DR solutions
IT Resilience
Architecture
IT Service Delivery
Topology
People and Processes
Work Place Strategy
Data and Information
Protection
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation13
Costs of Business Continuity solutions must be balanced against the protection they provide to the company
Loss Avoidance
Higher Capital
Allocation Requirements
Lower Credit Ratings
Fine and Penalty
Avoidance
Maintenance of
Customer Confidence
Maintain Social
Responsibility
Cost Avoidance
Business Continuity Costs
Costs from Residual Risks
Costsof Mitigation
Solutions
Lower HigherContinuity Capabilities
Tota
l Cos
ts A
ssoc
iate
d w
ith R
isk
and
Miti
gatio
nPotential Risk Cost
Elements
Types ofMitigation Solutions
Higher
DR solutions
IT Resilience
Architecture
IT Service Delivery
Topology
People and Processes
Work Place Strategy
Data and Information
Protection
Optimum Resilience Risk
Balance
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation14
The economics of Business Continuity continue to change, making Business Continuity Optimization an ongoing process
Tota
l Cos
ts
Costof mitigation
Lossesdue to
disruption
OptimumInvestment
Past
Tota
l Cos
tsCost
of mitigation
Lossesdue to
disruption
OptimumInvestment
Now/Future
ConsequencesBrand ImageLegalBusiness StrategyEnterprise Demise
Cost of disruptionLost RevenueFinesLost ProductivityWasted Goods
Continuity CapabilitiesLower Higher
Continuity CapabilitiesLower Higher
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation15
Business requirements have evolved from “recovery” following a disruption to “providing uninterrupted operations”
Regulatory Pressures Online Computing Availability Requirements
The Changing DynamicsRecovery Times Risk Profiles Approach to Planning Technology Capability
Business RecoveryRecovering business operations following an interruption
Business ResilienceMaintaining business operations/viability through all kinds of stresses and strains … and opportunities
Business Continuity Maintaining business capabilities through disruptive events
Disaster Recovery IT Recovery following some kind of “catastrophic” failure
Past Present/Future
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation16
Manage
Set Objectives
Design
Deploy
Plan
Implem
ent
ControlMonitor
Evaluate
AnalyzeResilience Lifecycle
Ass
ess
Companies need a continuous improvement methodology that focuses on the resilience lifecycle to help reduce risk, improve governance and enable compliance.
Risk Mitigation
Regulatory Compliance
Corporate Governance
Business Imperatives
Inputs: Business objectives, goals, priorities, policies & current capabilities
Outputs: Reduced Risk, Improved governance and enabled compliance
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation17
To begin, complete a thorough analysis of potential risks and the current ability of the company to mitigate them
Manage
Set Objectives
Design
Deploy
Plan
ControlMonitor
Evaluate
AnalyzeResilience Lifecycle
Ass
ess
Assess Analyze current & potential risks
Establish a risk profile By business location
By line of business function
By business process
Determine impact of event Financial
Opportunity
Reputation
Analyze capabilities for mitigation
Define customized risk framework IBM Business Resilience Framework
Identify risk areas for further analysis
Assess maturity of mitigation capabilities Basic
Managed
Predictive
Adaptive
Resilient
Implem
ent
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation18
Next, set the objectives for the reach and range of what risks you may need to mitigate.
Manage
Set Objectives
Design
Deploy
Plan
ControlMonitor
Evaluate
AnalyzeResilience Lifecycle
Ass
ess
Plan
Setting objectives for risk mitigation or enhancement
Define the scope for the risk strategy Extended enterprise
Enterprise-wide
Line of business
Business process
Business system
Select risks to be mitigated or enhanced Procedural
Technical
Organizational
Economical
Financial
Extra-structural
Infra-structural
Geological
Environmental
Societal
Governmental
Implem
ent
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation19
Implement a strategy & architecture that protects critical information and ensures Operational Resilience.
Implement
Design for Operational Resilience
Conceptual design
Business and Financial Justification -Concurrence among business executives and explanation to internal and external audit groups
Governance / Authority / Policies -Communication, mission, discipline
Systems Management Disciplines - Problem, change, configuration, etc.
Security- Physical and logical
Application & Data - Data protection, backup, restart, synchronization
Program Execution - Reporting, roles and responsibilities, public relations, business integration, plan invocation
Facilities – Location & management
Solution design
Goals and guiding principles
Functional, logical & technical components
Benefits, solution costs & implementation plan
Deployment of Operational Resilience
Protection of critical information
Recoverability of business functions
Manage
Set Objectives
Design
Deploy
Plan
ControlMonitor
Evaluate
AnalyzeResilience Lifecycle
Ass
ess
Implem
ent
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation20
Ongoing management is required to ensure continued operational resilience through control and monitoring
Manage
Control negative risk while enhancing positive risk
Ongoing management of risks before, during and after an event
Regular testing to ensure preparedness
Enforcement of governance policies & procedures
Training to ensure all employees understand their roles and responsibilities
Proactive information & data protection
Accurate communications at all times
Access to critical information when needed
Monitoring current conditions to detect and respond to risks
Proactive negative and positive risk response
Focus on continuous improvement of risk response strategies
Timely reporting of exceptions, measurements and metrics
Root cause analysis Manage
Set Objectives
Design
Deploy
Plan
ControlMonitor
Evaluate
AnalyzeResilience Lifecycle
Ass
ess
Implem
ent
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation21
The resilience lifecycle provides for a continuous improvement process to ensure currency of the Operational Resilience strategy and architecture.
Manage
Set Objectives
Design
Deploy
Plan
ControlMonitor
Evaluate
AnalyzeResilience Lifecycle
Ass
ess
Assess Evaluate performance
Utilize Resilient Project Office
Availability
Recovery
Security
Evaluate resilience performance
Review metrics and performance gaps
Review business and IT changes
Assess post incident data
Perform root cause analysis
Reporting on performance
Produce daily, weekly, monthly, quarterly, yearly reports for management
Produce appropriate reports for corporate, industry or government auditors
Resilience Dashboard
Implem
ent
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation22
IBM Business Continuity & Resiliency Services provides services to help realize the strategy and architecture for Operational Resilience
Recovery Services
Protection Services
IT Availability Business Continuity
IBM solutions for enabling IT governance and risk management
Manage
Ass
ess
Set Objectives
Design
Deploy
Plan
Implem
ent
ControlMonitor
Evaluate
AnalyzeResilience Lifecycle
Work Area IT Crisis
Response
Consulting Services
Access & Plan Design Implement
Managed Services
Remote Onsite Custom Archive &Data Data Data Retention
BC
RS
Con
tinuu
m o
f Ser
vice
s
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation23
Although our “roots” are in IT Disaster Recovery, BCRS offers a variety of services to “keep businesses in business”
Traditional Data Center recovery
Services to allow a customer to run their IT operations from an IBM managed location, using client or IBM owned equipment
Work Area Recovery
Equipped office space for customer workgroups to use when their normal facilities are not available
Business Continuity/Resiliency consulting services
Evaluate client’s risks, impacts and capabilities
Define strategies to cost-effectively mitigate risks
Design infrastructures and services to implement those strategies
Establish management programs to sustain those capabilities over time
Managed data backups
Managed service to backup customer data, at either client premises or IBM premises
Centralized data or distributed data
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation24
IBM Disaster Recovery Services
Work area recovery
IT recovery
Crisis management and response
Delivery
Consultantsand tools
Data center facilities
Workplaces for critical business
We provide a portfolio of services to enable new levels of Resilience, from consulting to managed services
Services
IBM Resiliency Consulting Services
Assessment and planning
Design
Implementation
Program management
IBM Information Protection Services
Remote data protection
Onsite data protection
Custom data protection management
Data retention and archival
IBM Managed Resiliency Services
Managed continuity
Managed availability
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation25
Operational Availability Improvement: US-based financial services company
Challenge– Stabilize and improve the customer services systems used by over 12,000 customer service
representatives at eight locations to support over 50 million customers– “We or our successors will solve this problem” (CIO to her VPs)
Initial Approach– Availability Management consulting methodology
Follow-on solutions– Established rigorous systems management processes to improve system stability and availability – Implemented process and toolsets for managing performance and capacity– Developed architecture and roadmap for implementation of security access controls– Several technology projects – product sales and implementation assistanceClient Benefits– Improved customer satisfaction by reducing impact of customer service disruptions by 57 percent– Improved availability of customer service personnel and systems– Enhanced overall risk management posture
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation26
DR Strategy: European arm of global financial services company
Challenge– Develop and implement tactical and strategic DR solutions to comply with regulatory
requirements and ensure business continuity
Initial Approach• Assessed current status of client’s initiatives and defined 3-5 year roadmap to achieve client goals
Follow-on Solutions Comprehensive and integrated set of consulting services, including:
Recovery Architecture Design
Business Continuity Governance
DR Testing Framework
DC DR Framework Design
Client Benefits– Establishing a “survival mode” in the event that a disaster occurs before client is able to establish
a resilient environment– Securing approval for the strategic approach from regulatory agencies
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation27
Managed Continuity: South American Bank
Challenge– Develop long term strategy for addressing business continuity requirements imposed by both
internal and external requirements
Initial Approach• Developed comprehensive Data Center and Call Center strategy to provide protection against both local and regional risks
Follow-on Solutions• Comprehensive “Out of Region” recovery solution (in Hortolândia, Brasil)
Client Benefits– Establishing a “survival mode” in case of a “regional” catastrophe– Satisfying internal and external requirements for recoverability
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation28
Information Protection: Multinational Market Research Company
Challenge– Only three FTEs to manage daily backups of 3TB across 37 branch offices– Criticality of 28 remote Exchange servers
Solution– Remote data protection for messaging and file systems
Benefits– Increased data availability and security– Full audit trail visibility to meet regulatory compliance requirements– Predictable costs through pay-as-you-go service model
“With this solution, we are assured that all data from our remote branches is backed up and easily restorable. And the centralized, Web-based management allows my staff to cost effectively fulfill the oversight and audit responsibilities mandated by Sarbanes Oxley and other regulations.”
—IT Director
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation29
With virtually unmatched global presence, IBM BCRS can serve the needs of any client
40 years of experience
Over 10,000 clients
> 400 instances of open-systems support (IBM, Sun, Cisco, HP…)
>76,000 enterprise server MIPS
>700 enterprise server terabytes
> 425 IBM System p™ servers
> 350 IBM System i™ servers
5,000,000 square feet of equipped floor space for workplace replacement
40,000 seats
100% recovery record
1600 professionals 154 resiliency centers 55 countries
IBM Business Continuity and Resiliency Services
© 2010 IBM Corporation30
Thank You!