key trends driving global business resilience and risk

© 2010 IBM Corporation

Key Trends Driving Global Business Resilience and Risk

Patrick Corcoran, Global Business Development ExecutiveBusiness Continuity & Resiliency Services (BCRS)

© 2011 IBM Corporation2

Agenda

What is Resiliency? Resiliency: The CIO perspective Moving forward: Building a comprehensive business resilience strategy Regional Event Learnings


Business resilience refers to the ability of enterprises to adapt to a continuously changing business environment.

Business resilience helps organizations maintain continuous operations and protect their market share

in the face of disruptions such as natural or man-made disasters. It requires the engagement

of everyone in the organization and often means a change in corporate culture to instill awareness

of risk.

Business resilience planning is distinguished fromenterprise risk management (ERM) in that it is more likely

to build capacity to seize opportunities created by unexpected events.


Impact of coping with the financial turmoil

Loss of critical personnel Loss of key knowledge Reduction in attention to

significance of risk Reduction in testing recovery

plans

4

As budgets shrink and service level requirements increase, our business becomes even more vulnerable to data loss.

Disaster recovery and business continuity is one of the top IT spending priorities for many businesses.

Heightened impact of business disruption

Greater financial implications of downtime

Brand vulnerabilities Data integrity requirements

Changing environment Expanding risk exposures Increased global and regional

interdependencies Supply chain disruption

More complex regulations Changing industry and regulatory

standards Geographic dispersal requirements Varying regulations per country


Loss of critical personnel Loss of key knowledge Reduction in attention to significance

of risk Reduction in testing recovery plans


5

The continuous flow of information is inseparable from the operational performance of the business.

Information technology is often at the epicenter of how a firm interacts with its clients Information technology is always a lever to produce highly efficient supply chains, operations

and workflows In combination, these two dynamics generate an explosive growth of managed data

The Facts

Business resilience and information risk management are commonly on the agenda of the board of directors

Firms must assess: Are we compliant? Are we reliable? Can we be trusted? Firms must decide how resilient they wish to be – contextualized in the availability, security

and recoverability of their business operations Firms must evaluate the extent to which competitive advantage or disadvantage is

influenced by their chosen resilience standing

The Implications


We see both risks and opportunities affecting firms business resilience needs

Frequency ofoccurrences

per year

1,000

100

10

1

1/10

1/100

1/1,000

1/10,000

1/100,000 US$1,000 US$10,000 US$100,000 US$1,000,000 US$10,000,000 US$100,000,000

Freq

uent

Infre

quen

t

Consequences (single occurrence loss) in dollars per occurrenceLow High

Viruses

WormsDisk failures

System availability failures

Pandemics

Natural disasters

Application outages

Data corruption

Network problems

Building fires

Terrorism/civil unrest

Data driven

Event driven

Business driven

Regulatory compliance

Workplace inaccessibility

Failure to meet industry standards

Regional power failures

Governance

Source: IBM

Data growthLong term preservation

Mergers and acquisitions

New products

Marketing campaigns

Audits


A/C FailureAcid LeakAsbestosBomb ThreatBomb BlastBrown OutBurst PipeCable CutChemical SpillCO FireCoffee MachineCondensationConstructionCoolant LeakCooling Tower LeakCorrupted DataDiesel GeneratorEarthquakeElectrical ShortEpidemic

EvacuationExplosionFireFloodFraudFrozen PipesHackerHail StormHalon DischargeHuman ErrorHumidityHurricaneHVAC FailureH/W ErrorIce StormInsectsLightningLogic BombLost DataLow Voltage

Microwave FadeNetwork FailurePandemicPCB ContaminationPlane CrashPower Grid OutagePower OutagePower SpikePower SurgeProgrammer ErrorRaw SewageRelocation DelayRodentsRoof Cave InSabotageShotgun BlastShredded DataSick buildingSmoke DamageSmoke from Restaurant

Snow StromSprinkler Discharge Static ElectricityStrike ActionSwimming Pool LeakS/W ErrorS/W RansomTerrorismTheftToilet OverflowTornadoTrain DerailmentTransformer FireUPS FailureVandalismVehicle CrashVirusWater (Various)Wind StormVolcano / Volcano Ash

Source: Contingency Planning Research, Inc. and IBM

But there are many other events that have caused business disruptions/outages that don’t make headlines, but can be just as costly.


What is Resiliency? Resiliency: The CIO perspective Moving forward: Building a comprehensive business resilience strategy Regional Events Learnings

8

Agenda


71 % of CIOs are

concerned about risk management and

compliance


Loss of critical personnel Loss of key knowledge Reduction in attention to

significance of risk Reduction in testing recovery

plans

Technology users expect

100%availability of their applications

and their information

It takes 18months for data

generated to double in size

Who cares about resiliency?

Source: Enterprise Strategy Group, April 2011

53% of organizationswould experience

significant revenue loss or other adverse business impact after 1 hour of downtime


IT plays a critical role in developing resilience strategy

IT plays a major part in building resilience

Senior IT execs expected to play strong role in developing strategy

Business resilience is joint responsibility of all C-level executives

CIO collaborates with top IT strategists more frequently

Risk contingency planning assigned to separate specialists

IT function engaged in most decisions involving business risk

CIO has overall responsibility for business resiliency strategy

Business continuity seen as primarily IT issue

Business resilience not seen as role of senior executives

“IT is a big part of our risk management because nothing can be done without it these days.”

Kris Wiluan, CEO, KS Energy Services Limited

Source: 2011 Q7. Do you agree or disagree with the following statements regarding the roles of different players in your organization's risk management strategy? (Agree only.)


To date, companies have focused heavily on creating their resilience and risk plans — and putting supporting technologies and processes in place.

Create a business continuity plan

Invest in new risk-related IT solutions

Establish company-wide risk management team

Discuss issues with supply-chain partners

Assign overall responsibility to a single executive

Develop communications or training program

Respond to recent natural disasters by rethinking strategies

Develop integrated business resilience strategy

Engage external advisors

“What we’re trying to do here is preserve our culture and make money at the same time, and managing risk is what that’s all about.”

Lee Garvin, Director, Risk Management, JetBlue


Risk concerns for IT leaders span a range of issues

12

In 2010 and 2011, IBM surveyed 560 IT managers and CIOs about how IT continuity was evolving.

In the past 12 months, what kinds of risk issues has your company dealt with?

Source: 2010 IBM Global IT Risk Study: The evolving role of IT managers and CIOs

Matches survey results from Forrester Research.

IT security 78%

63%

Power failure 50%

Physical security 40%

Theft 28%Product quality

issues 25%

22%

Natural disaster 17%E-discovery

requests 13%

Supply chain breakdown

11%

Terrorism activity 6%

Hardware and system malfunction

Federal compliance issues


1313

More companies are embracing the need for a well-crafted business resilience plan - and a risk management function.

Well-crafted and communicated plan

Disagree NeitherAgree

No formal plan, but plan to develop one


No formal risk management function


Study comparison:Only 30% of respondents in this year’s study indicated they had no formal risk management function, compared to 42% in the 2010 study

Source: Q1. Do you agree or disagree with the following statements regarding your organization’s IT risk management?Study comparison: 2010 IBM Global IT Risk Study

“What we’re trying to do here is preserve our

culture and make money at the same time, and managing risk is what

that’s all about.”Lee Garvin, Director, Risk

Management, JetBlue

https://www.ibm.com/services/forms/signup.do?source=mid-NA&S_PKG=BRRiskStudy


Compared to their competitors, respondents viewed themselves as better able to handle predictable resilience and risk events.

Same WeakerStronger Don’t know

Maintain business operations in physical disaster

Prevent unauthorized access to proprietary data

Maintain operations during a pandemic

Adapt rapidly to crisis

Align contingency plans with changing risks

Reliably retrieve archived data to meet legal requirements

Seize unexpected opportunities

Minimize losses from unexpected events

Because of its impact on the business as a whole, a crucial area for

improvement is the ability to seize unexpected opportunities

An effective business resilience plan will provide a robust foundation on

which to build a long-lived competitive position supported by end-to-end risk

management.

Source: Q4. In your opinion, how does your organization compare with its closest competitors in the following areas?


Study results revealed an opportunity for companies to further hone their competitive edge by integrating business continuity and risk management.

Stronger Same Weaker Don’t know

IT infrastructure supports business growth

Sees value of business continuity as part of risk mgmt

Profitability

Market share

Revenue growth

Even though organizations have strategies for business resilience and

risk management, they may not be integrating and leveraging those

strategies for business advantage

“Companies with a robust ERM program have lower losses,

fewer embarrassing events and a better reputation.”Yousef Valine, Chief Risk Officer,

First Horizon National Corporation

Source: Q9. How does your organization compare to its closest competitors in the following areas?



16

Agenda


Organizations expect their business resilience and risk management spending will continue to increase on a par with previous increases.

Next 3 yearsUp to now

Increase significantly14%14%

Increase47%

51%

Stay the same33%

31%

Decrease4%4%

Decrease significantly 1%1%

65% of organizations expect their business resilience and risk management spending to increase in the next three years

“My selling pitch to them (CEO and the board) is that a robust risk management capability is a competitive advantage.”

Yousef Valine, Chief Risk Officer,First Horizon National Corporation

Source: Q3. How has your organization changed its degree of spending on initiatives to improve business resilience?


A projected increase in the role played by non-IT functions may be related to the increase in emphasis on strategy integration and training.

Next 3 yearsUp to now

CIO

IT professionals

Other C-level execs

Legal

Board members

Employees

Partners

Source: Q6a. Over the next three years, what is the expected level of involvement for the following people in your organization's risk management or business resilience strategy? (Very involved or involved.)Study comparison: 2010 IBM Global IT Risk Study

“Detecting risk has to happen at the point where the behavior is occurring.”

Dr. Barbara Reynolds, Senior Advisor, Risk Communication,

Centers for Disease Control and Prevention (CDC)


Identifying the roadblocks: Silos and budgets can impede the adoption of a holistic approach to business resilience

Silos within the organization — 28%

Budget limitations — 20%

Inability to predict ROI from improvements — 17%

Lack of C-level vision and commitment — 14%

Lack of understanding about best practices — 9%

Lack of understanding about emerging technologies — 8%

Lack of buy-in from employees — 4%

Study comparison:2010 top challengesImplementing necessary procedures

Securing budget

Obtaining full risk picture from depts

Source: Q10. What is the biggest single barrier to implementing a holistic approach to business resilience planning?


Leverage the findings of the IBM Global Business Resilience and Risk Study in your organization

Recommendations

An integrated approach to business resilience and risk management offers a significant business opportunity for organizations of all sizes

Appointing a single individual with overall business resilience and risk management responsibility is essential to integration success

Input should be sought from throughout the enterprise — including employees and partners

Focus should be on the business impact and business opportunity. Recovery is a subset of the resiliency plan

Cloud technologies have matured significantly and now have the potential to deliver significant business resilience benefits

The newly integrated business resilience and risk management strategy can be levered to seize unexpected opportunities and deliver measurable business value

“An effective business resilience plan will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management.”

2011 IBM Global Business Resilience and Risk Study report


A resilient framework helps identify areas of risks and vulnerabilities, and allows a company or organization to develop a enterprise resiliency roadmap.

Risk mitigation strategiesBusiness driven Data driven Event driven

Strategy

Organization

Processes

Applications and Data

Technology

Facilities

Bus

ines

s re

silie

nce



23

Agenda


Headline events often mobilize our clients to pause and reflect on their current IT resilience standing. . .

http://www.time.com/time/covers/0,16641,20100125,00.html


Lessons Learned from Regional Events

Events create other events … domino effect– Japan: earthquake => tsunami => nuclear plant damage => power problems =>

supply chain problems ……– Hurricanes => Flooding => Mud/Landslides => Power Outages ……

To learn more about lessons learned from regional disasters, listen to the following webinar: http://www-935.ibm.com/services/us/bcrs/html/web-seminar_hurricane-lessons-learned.html?&me=W&re=webseminars

Human issues– Will people be available? How about their families? Financial assistance?

Communications issues– Communicating with, supporting and mobilizing employees, customers and

suppliers, the press and the public at large Community issues

– Fulfilling responsibilities to host communities Infrastructure issues

– Anticipating how roads, travel and power supplies might be affected– Vulnerability of sites

Business issues– Keeping business processes running– Managing insurance claims

Disaster plan currency– Keeping plans up to date and well tested– Availability of data and hardware


IBM delivers unsurpassed geographic scope, combined with expertise of local, regional, and global needs/regulations.

26

Over 160 data centers globally 100 percent recovery for IBM clients who

have declared a disaster (over 800) More than 1,875 professionals dedicated to

business continuity and resiliency More than 9,000 disaster recovery clients More than 10,000 client rehearsals per year

More than 50 years experience helping clients with their backup and disaster recovery needs

Over 800 client declarations supported since 1989

Scalable, end-to-end, cloud-based data backup and recovery solutions

Five million square feet of floor space for disaster recovery, with 40,000 seats


Protecting your enterprise

Mitigating business and support issues

Increasing your competitive advantage

Protecting brand reputation

Enabling seamless, continuous business transactions

Exploiting market opportunities

Business continuity and resiliency is about…


Questions?

Jay [email protected]

key trends driving global business resilience and risk

Documents

global business resilience

business resilience

business operationsfirms

changing business environment

adequate resilience

ibm corporation4growth

information risk management

data loss