TSC Business Continuity & Disaster Recovery Sessionh41382. · TSC Business Continuity & Disaster...

TSC Business Continuity & Disaster Recovery SessionMohamed AshmawyInfrastructure Consulting PursuitHewlett-Packard EnterpriseSaudi [email protected]

Session Objectives and Outcomes

Objectives• Share the key aspects of BCDR• Business Impact Analysis

Service Walkthrough• Risk Assessment Service

Walkthrough

Outcomes• Common Understanding on:

• Business Impact Analysis• Risk Assessment• Existing delivery capabilities • Next Steps

© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.

Agenda1 Industry Outlook and Challenges

2

3

HPE Transformation Area 2 Point of View

Business Continuity Management – Key Aspects

4 Business Impact Analysis

Risk Assessment 5

GFS Capability Overview6

HPE Value Differentiation & Next Steps7


Industry Outlook & Challenges

Gartner Predicts 2015: Business Continuity Management and IT Disaster Recovery Management

Demand over legacy backup applications

In 2015, focus on improving operational resilience with more automation

By 2018, 50% of organizations will use managed failovers

By year-end 2020, 15% of organizations will fail due to inadequateprotection

Source: Gartner Predict 2015


Why we should focus on BCDRMarket Forecasts and Analysis– Business Potential

According to “Research and Markets” agency, the GRC solutions and services market including BC & DR will grow at a 14.7% CAGR to $31.77 billion through 2020 – approximately three times the growth rate of the overall GRC market from 2015

Source : http://www.businesswire.com/news/home/20150625005495/en/Research-Markets-Enterprise-Governance-Risk-Compliance-Market#.Vd6la_mqqko

How much we can get here?

BIA & RA Services are critical steps to generate more and more BCDR opportunities


Gaps in Today’s BC & DR Arrangements – Market Demand

• 60+% do not have a fully documented DR plan

• Remaining 40% DR plans did not prove very useful when it was called on to respond to their worst disaster recovery event or scenario.

• Almost 65% enterprises are failing in DR testing

Lack of DR Planning, testing and resources

Financial Impact due to service outage Major causes of outages

• 36% organizations lost one or more critical applications, VMs, or critical data files for hours at a time over the past year

• 20% organizations indicated losses of more than $50000 to over $5Mn

• 50% software failure + network failure

• 23.5% human error• 24% power failure• 2.5% weather

Source : Disaster Recovery Preparedness Benchmark Survey (DRP) © Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.

Let’s hear your voice!

Do you leverage automation and orchestration in your disaster recovery plans in order to improve business outcomes?

Open HPE Events App, and answer the following question to participate

HPE Transformation Area 2 Point of View

Transformto a hybrid

infrastructure

Enableworkplace

productivity

Empowerthe data-drivenorganization

Protect yourdigital enterpriseProtect your most prized digital assets whether they are on premise, in the cloud or in between.

Protect your digital enterprise

Protect Detect & Respond Recover

Build it inIdentify the threats you face, assess your organization’s capabilities to protect your enterprise,

Harden your applications, protect your users, and encrypt your most important data

Proactively detect and manage breachesHelp reduce time-to-breach-resolution with a tight coupling of analytics, correlation, and orchestration.

Establish situational awareness to find and shut down threats at scale

Safeguard continuityand complianceDrive resilience and business continuity across your IT environments, systems, and applications.

Reduce risk with enterprise-wide governance, risk & compliance strategies

BIA and RA Services fall under “Recover”© Copyright 2017 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice.

HPE Business Continuity Management –Key Aspects

HPE Business Continuity 5 Step Approach

Exercising, Maintenance &

Audit

Understandingyour

Business

Building &EmbeddingBCM Culture

BCProgram

Management

Develop &Implement

BCM Response

Building Resiliency & ContinuityStrategies

1

2

34

5

1. Understanding the BusinessCriticality, Compliance mandate,data center operations, supportservices to identify continuity &recovery requirements.

2. Building Resilience andContinuity Strategies basis thecontinuity related Risks identifiedin BIA and RA.

3. Developing and Implementing aResponse Plan to Respond toand Manage ‘ServiceDisruptions’.

4. Institutionalizing BusinessContinuity framework &processes as part of operationsto build Business ContinuityMaturity.

5. Exercising Business Continuityreadiness; Updating of BC Plansand Independent Audit.

Business &

Com

pliance Requirem

entsGlo

bal B

est P

ract

ices

& S

tand

ards

A

lignm

ent

HPE BCM Framework

‘Business Continuity’ Program Management

BCM Governance

Understand Business

Requirements

Business Continuity Strategies

BC Plan, Design &Implementation Plan Administration Audit & Compliance

People and Process

Technology

• Business Process Identification, priority & criticality

• Compliance Statement• Planning Structure• Business Impact Analysis• Risk Assessment • Interdependencies• Third Party Independencies

• Risk Assessment • Recovery requirements• IT Dependencies• Service Level

Agreements (SLAs)• Interruption Insurance

• Alternative strategies against the results of BIA exercise

• Third Party continuity strategies

• IT Operational Process Requirements

• Single Point of Failures mapping

• IT Resiliency & Recovery strategy

• Business Continuity Plans• Crisis Management Plans• Crisis Communication

Plans• Command Center Plan• Pandemic Response Plan• Emergency Response Plan• Business Resumption• Work area recovery

(Facilities) Plan• Return to Home Plan

• Disaster Recovery Plans• Incident Management Plan• Recovery Strategy Design• Failover and Failback

strategy design• Data Backup and

restoration plan design

• Exercise and Testing• Plan Maintenance• Training and Awareness• Plan Audit• Post Mortem analysis

and reporting

• DR Testing and simulations

• Post Mortem Process

• On-going improvements• Align newly

designed/revised strategy/plans with regulatory requirements

• Compliance report as per legal, regulatory and contractual requirements

• On-going improvements• Align newly

designed/revised strategy/plans with regulatory requirements

• Policies & Standards• Roles & Responsibility

guide• BCM Program

Management Office • Management Review

• Policies & Standards• Roles & Responsibility

guide• BCM Program

Management Office • Management Review

Business Continuity Management Framework

HPE BCM Framework is aligned to ISO 22301 Standard

Business Impact Analysis Service

ChallengesObjectives

Lack of knowledge of financial, reputation and legal impact on the organization

No process classification to document the criticalities of organizational assets

Associated process interdependencies not identified

No established acceptable downtime and recovery level of critical processes

Resource requirements necessary at the time of a disruption not identified

Identify operational and

financial impacts due to

business disruptions

Identify minimum operating

requirements

Identifying operating requirements is only aiming at minimising financial and operational impacts


BCP is a set of advance arrangements to increase organizational resilience through availability of critical processes at acceptable levels and downtimes

RTO – Recovery Time Objective | MOR – Minimum Operating Requirements

Leve

l of O

pera

tions

Time

Normal Level

Incident

Dis

rupt

ion

RTO (e.g. 2 wd)

MOR Level

MOR delivery (e.g. 5 wd)

Normal Level

Crisis duration (e.g. 7 wd)

How an incident is managed


Key Terminologies

BIA helps to identify:

• Process classification (Critical / Key / Others)

• Minimum operating requirements (RTO, MOR and RPO)

• Key resources (People, IT and Infrastructure, 3rd party vendors, documentation)

BIA output drives necessary recovery strategies (backup plan) for the following outage scenarios:

• Site, City, Country, People and Technology

RTO (Recovery Time Objective)Duration of time by which a business process / activity must be resumed

MOR (Minimum Operating Requirements)MOR (expressed as Head Count) to ensure recovery of operations to pre-defined service level

RPO (Recovery Point Objective)Duration of time of acceptable data loss

ProcessCluster of activities which produce a defined outcome. Unified processes and not multiple processes with similar name (eg. Budgeting, Payroll management, Event Management within Marketing)

Functions Is an entity or team which is typically characterized by a special area of knowledge or experience (HR org wide function, Payroll org wide function, Marketing function)

BIA is the process to predict and review the consequences of disruption of a business function / activities and gathers information needed to develop appropriate recovery strategies

Proven risk assessment methodology aligned to ISO 31000

BIA Concepts

BIA defines the priorities for recovery of critical operations

Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies.

Evaluate the potential business impact on a process not being performed:• Tangible Impacts

Financial Exposure• Intangible Impacts

Brand / Reputation Legal and Regulatory Customer Satisfaction


Business Impact Analysis MethodologyComprehensive impact analysis to determine critical recovery requirements

• Structured and targeted focus reviews

• Classification of in-scope processes into criticality continuum

• Knowledge of recovery requirements

• Establishing internal & external dependencies

• Independent review with SMEs

• Alignment to organization’s strategic goals

Interviews, workshops, templates

Understand Assess Establish Document

• Process understanding

• Process Mapping

• SPOC Identification

• BIA workshop

• Questionnaire response

• Moderation and review

• Establish RTO and RPO

• Identify dependencies

• Identify resource requirements

• Document BIA workbook

• Prepare BIA report

• Management signoff


Deliverables

# Deliverables

1 Kick off Presentation

2 BIA Walkthrough Presentation

3 BIA Template

4 BIA Summary Report

5 Closing Presentation


How can we help Customers? Facilitating information gathering and reviewing

relevant documentation

Developing process flow diagrams, mapping key internal and external dependencies

Determining recovery parameters and critical activities for business processes

Establishing the correct sequence of recovery activities

Determining the critical resource requirements

We’re certified within our profession, and we’re certified by our alliance partners

We’re experienced, we’re present, and we’re trusted


What Benefits Customers can get?


Risk Assessment Service

ChallengesObjectives

Lack of knowledge of key continuity risks

Lack of visibility around potential threat sources to the business

Residual risks not identified and evaluated

Non standard mitigation plan against risks to their business

Inadequate / outdated risk assessment documentation

Holistic view of all business continuity-related risks

Minimize organizational losses

Ensure risks are within the organization’s risk appetite

Implement effective governance

Managing risk is about creating value out of uncertainty


Risk Assessment MethodologyProven risk assessment methodology aligned to ISO 31000


Key Terminologies

RA helps to identify: Key risks to the organization

Strength of existing controls

New controls for implementation

Effective governance structure

RA output drives necessary mitigation plans to be implemented

Key Terms Low Risks

The risk merits management awareness, but does not require remedial action

Medium Risks

Overall risk is manageable with some senior management intervention and remediation

High RisksRisk is significant and strong remediation is required

RA is a process that identifies risks, ranks them by likelihood + impact & implements plans to mitigate these risks


Proven risk assessment methodology aligned to ISO 31000

Risk Concepts

Risk is the effect of uncertainty on objectives

Organizational objectives can be Strategic, Tactical or Operational

Effect : Deviation from the expected – Positive / Negative

Often expressed in terms of combination of the “Consequences” of an event and the “likelihood” of occurrence

• High / Medium risks can be treated, transferred, terminated or tolerated


Risk Assessment Methodology

Interviews, workshops, templates

Understand Assess Mitigate Document

• Process understanding

• Process Mapping

• SPOC Identification

• Defining risk methodology and risk appetite

• Evaluating risks

• Computing residual risks

• Define mitigation plan

• Assign timelines and owners

• Prioritize mitigation actions

• Document risk register

• Prepare risk report

• Management signoff

• Clear deliverables

• Structured methodology

• Aligned to best practices

• Compliance to industry standard

• Independent review with SMEs

• Alignment to organization’s strategic goals

• Long term governance centric


Deliverables

# Deliverables

1 Kick off Presentation

2 RA Walkthrough Presentation

3 RA Questionnaire

4 Risk Register

5 RA Summary Report

6 Closing Presentation


How can we help? Facilitating information gathering and reviewing

relevant documentation

Developing process flow diagrams, mapping key internal and external dependencies

Determining residual risk for business processes, sites and the organization

Establishing necessary mitigation plans for various identified risks in line with the risk appetite

Assisting in the closure and ongoing evaluation of continuity risks

We’re certified within our profession, and we’re certified by our alliance partners

We’re experienced, we’re present, and we’re trusted

What Benefits Customers can get?


HPE Value Differentiation

Our Value Differentiation

Support to Improve Service

Availability –Reduce Service

disruptions

Drive consistent customer

experience

Help to identify “Single Point of

Failures”

Assurance to reduce cost of

operations

Drive customer satisfaction –

enhance brand value, drive top line growth &

reduce cost of non performance

Help to provide Regulatory Compliance Assurance


Let’s hear your voice!

State 2 of the building blocks to achieve the BCDR

Open HPE Events App, and answer the following question to participate

Questions

Thank You

Mohamed [email protected] TSC Pursuit Saudi Lead

TSC Business Continuity & Disaster Recovery Sessionh41382. · TSC Business Continuity & Disaster...

Documents

Transcript of TSC Business Continuity & Disaster Recovery Sessionh41382. · TSC Business Continuity & Disaster...