Uploaded bysirjem
223 views

2007 CPM West Keynote Presentation

The document outlines ten common mistakes executives make in resiliency management and emphasizes the need for understanding the distinctions between business continuity, disaster recovery, and crisis/emergency management. It highlights the importance of leadership, the financial implications of disasters, and the necessity for comprehensive planning and collaboration across all organizational levels. The document also stresses that appropriate budgeting for risk management and regulatory compliance is essential for effective organizational resilience.

Related topics:
Enterprise Risk Management

Embed presentation

10 Avoidable Mistakes for Executives in Resiliency Management Presented by: Jon Murphy, CISSP, CHS-V, PMP, CBCP, CDCP, NSA-IAM/IEM, MBA, AANG Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
Disclaimer All thoughts and opinions expressed in this presentation, or by Jon Murphy directly, are his own and should not be interpreted as those of any current, past, future employer, client, or any other organization that may or may not be mentioned. The mention of any organizations should not be interpreted as endorsement. Some material contained herein was obtained and is used with the express written permission of various organizations and may not be used or reproduced in any way without each of these parties’ express written consent in advance.
Contents Objectives Influence of Leadership The Mistakes BC Is Not the Same as DR Is Not the Same as CM/EM Insurance vs. Assurance InfoSec’s Ever-increasing Role ALL the Costs of Disaster Exercising & Testing Plans The Components of Organizational Resiliency Too Much from Too Few How Much is Enough? Regulatory Compliance, The Gorilla Who Keeps Growing! Service Providers Summary
Objectives Learn the 10 most common mistakes and the misconceptions behind them Why they are “disastrous” How to correct/avoid them
On Leadership’s Influence People make history, and not the other way around. In periods where there is no leadership, organizations and even society as a whole, stand still. Progress occurs when courageous, skillful leaders seize the opportunity to see things differently and change things for the better. As paraphrased from a quote by Harry S Truman 33rd president of US (1884 - 1972)
(par – a – digm) A set of assumptions, concepts, values, and practices that constitutes a way of viewing reality for the community that shares them.
Assessing Your Leadership’s Paradigm Have any ever weathered a personal crisis? Have any experienced a corporate crisis? How much money are they investing to mitigate & prepare? Are they investing their time, personally? Are bonuses tied to results?
Organizational Resiliency The ability spectrum of an enterprise to first avoid interruption and then promptly return to as near as possible to business as usual after responding to a business interruption
 
Mistake # 1 Business Continuity, Disaster Recovery, Crisis/Emergency Management are really all the same thing
No! All three are different and each is vital! BC is… Re-establishment of mission critical business processes Business area centric DR is … Re-establishment of the technical infrastructure capabilities IT & TeleCom centric CM/EM is … Immediate local response to stem further damage/loss People centric
It’s Everybody’s Business Organizational Resiliency EMERGENCY MANAGEMENT IT DISASTER RECOVERY FACILITIES MANAGEMENT HUMAN RESOURCES PHYSICAL SECURITY COMMUNICATIONS & PR KNOWLEDGE MANAGEMENT SUPPLY CHAIN MANAGEMENT QUALITY MANAGEMENT OPERAATIONS MANAGEMENT FINANCE MANAGEMENT ENVIRONMENT MANAGEMENT
Mistake # 2 BC/DR/CM is All Just Another Type/Level of Insurance
Failure to plan and prepare can be costly Loss of lives Loss of property Lost revenue; ≈ $x,000,000 per day Lost Customer Confidence Lost Market Share Tarnished Image Fines & Jail Time
BII: adequate for these or not? Risk Event Percent Affected Business Impact Power outage 88% High Telecom failure 57% Medium to High Hardware failure 56% Low to High Natural disaster 55% Medium to Very High Human error 53% Low to High Software failure 48% Low to High Service provider failure 39% Medium to High IT Security breach 36% Medium to Very High Facility move 33% Medium to High Terrorists' Acts 21% Medium to Very High Physical Security Breach 18% Medium to Very High Fire 12% Medium to Very High
Unjustified Assumptions All of your people will survive the disaster Your organization is important to the utility (& other supplier) companies Your generator’s fuel supply will outlast the disaster Airplanes and specialty transportation will always be available
Mistake # 3 Information Security is a synonym for “Paranoid Geek”
Information Security is your Best Partner in Getting to “Yes”
InfoSec Facts Gartner reports the number one category of spend for most CIOs in 2006 was InfoSec related A March ’06 Forrester survey indicated that most CEOs rank InfoSec Breaches and Downtime as their #1 IT related concerns The FBI estimates the cost of computer crime at ≈ $190B   in 2005, the vast majority of that amount from American businesses’ bottom line 2009 new viruses (including worms and trojans but not variants) unleashed in 2005 (Research by SATO) In 2003, Global 1000 companies spent ≈ $5M each on troubleshooting corrupted PC issues (Research by SRI).
Mistake # 4 Downtime is already calculated into our SLA and is just an expected part of doing business
Valuing ALL the Costs of Disaster Most organizations do a decent job at capturing hard dollar costs of interruptions Often forgotten are the soft #s; Cost of idle staff Loss of paper records Loss of works in progress on PCs in notebooks Alternate quarters acquisition Bad press How much is your brand reputation worth?
Tangible Disaster Impact 6 yr Total Revenues % Decrease $16.98 B 0% $12.97 B 23.60% $5.38B 68.32%
Time to Recovery in Days Costs 1 3 7 20 30 R 5X 18X 45X ∞ Recovery Costs Factor R + C + S + Complete Market Loss (M) R + C + Shareholder Confidence Loss (S) R + Customer Confidence Loss (C) Predominantly Just Revenue Loss (R) Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
Mistake # 5 Testing/exercising – the same thing and is an annual waste of time and loss of productivity
Testing & Exercising Plans “ Testing” vs. “Exercising” Types of exercises Objectives “ Failing” an exercise
Graphically Speaking … Range of Impact to the Organization C O P I N G R E S O U R C E S Normal Emergency Disaster Event Impact Organization’s Level of Coping Resources Disaster Realm ↑ ↓ Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
After Mitigation, Prep, Training … Range of Impact to the Organization C O P I N G R E S O U R C E S Normal Emergency Disaster Event Impact Organization’s Level of Coping Resources Disaster Realm ↑ ↓ Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
Mistake # 6 Breaking up responsibility and accountability for “resiliency” (whatever that is) is a good thing
To Silo or Not to Silo; The Components of Organizational Resiliency A Program Management Office Approach More than just BC & DR Benefits BC DR ER/CM RC IS The Risk Management Program Office
Mistake # 7 One coordinator or manager level staffer is sufficient
Asking Too Much from Too Few Common to have only a “BC/DR “coordinator” Reports to a manager, not an executive No staff Little if any budget Not a priority until an “OOS” moment No respect
Ad Hoc or Dedicated Roles $ ize matters Marketing/business model matters Industry matters Criticality matters Organizational maturity matters
Mistake # 8 A single digit percentage of one year’s IT budget spend over 3-5 years is all that is needed
How Much Mitigation is Enough? Careful in doing comparisons… How much do you need to protect? How much can you afford to lose? OppX or CapX constrained? What is the organization’s risk tolerance?
Response & Recovery Capability Minimal, 30 days Good, < 3 days Better, < 1 day Initial Costs Additional Costs ATOD Costs An Investment Starting Point Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
Mistake # 9 Regulations and compliance is just the Finance department’s concern
Regulatory Compliance – an Ever Changing World
Mistake # 10 We have a contract with XYZ Corp and they have our continuity problems all taken care of
Service Providers – Panacea or Puffery Local and out of region providers Look beyond the usual suspects One service provider already under contract may have other services to offer as a bundle Beware of over-subscription Test them too Consider mutual aide-like agreements
Where would you rather be?
Summary Don’t confuse the disciplines as being one in the same Be Assured not just Insured InfoSec is your friend Calculate all the costs, nit just downtime Exercise and Tests are Vital Have all the players on the same team Staff (#s) appropriately and at the right levels Proactively choose if you want to pay some now, or a lot later Pay attention to compliance Know what you are getting from service providers

More Related Content

PDF
Analyzing and managing reputational risk
byDawn Simpson
 
PDF
Making the Business Case for Security Investment
byRoger Johnston
 
PDF
Chief Information Security Officer - A Critical Leadership Role
byBrian Donovan
 
PDF
Reputation risk
byMichel Rochette
 
PPSX
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
byksteadman
 
PPT
Crisis And The Ceo
byDan Keeney
 
PPT
Business Continuity Overview
byPatrick Cowan
 
PDF
The four horsemen of IT project doom -- kappelman
byLeon Kappelman
 
Analyzing and managing reputational risk
byDawn Simpson
 
Making the Business Case for Security Investment
byRoger Johnston
 
Chief Information Security Officer - A Critical Leadership Role
byBrian Donovan
 
Reputation risk
byMichel Rochette
 
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
byksteadman
 
Crisis And The Ceo
byDan Keeney
 
Business Continuity Overview
byPatrick Cowan
 
The four horsemen of IT project doom -- kappelman
byLeon Kappelman
 

What's hot

PDF
Reputational Risk
byCapco
 
PDF
ERM: DIFFERENCES BETWEEN SECTORS
byMichel Rochette
 
PDF
Wisegate_GeekSpeak_LG
byBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
PDF
Captains in Disruption
byStrategy&, a member of the PwC network
 
PDF
Negotiation Strategies: Using Game Theory and Decision Tree Analysis to Deter...
bybrucelb
 
PDF
Trends shaping the future of legal risk management by dave cunningham and m...
byDavid Cunningham
 
PDF
How to Instill Ethics in Commercial Lending: Understanding Due Diligence
byColleen Beck-Domanico
 
PDF
Credit Union Cyber Security
byStacy Willis
 
PDF
Common Objectives of the CRO and the CAE
byWheelhouse Advisors LLC
 
PPTX
Privacy Breaches - The Private Sector Perspective
bycanadianlawyer
 
PPTX
Best practice in reputation management in a causal framework by Dr Kevin Money
byAddison Group
 
PDF
How To Present Cyber Security To Senior Management Complete Deck
bySlideTeam
 
PDF
The Lesson of Lost Value
byStrategy&, a member of the PwC network
 
PDF
Experion Data Breach Response Excerpts
byPeter Henley
 
PPTX
Disaster management basics rev 1
byGeary Sikich
 
PDF
The Litigation Risk Management Approach to Strategic Litigation and Settlement
bybrucelb
 
PDF
IRMI Captive Insurance Issues and Trends 2017
byΔρ. Γιώργος K. Κασάπης
 
PDF
Probability Assessment:
 How Do We Get "Good" Numbers For Litigation Decision...
bybrucelb
 
PDF
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
byWolfPAC - Integrated Risk Management
 
PDF
BCI Counting The Cost
byhaemmerle-consulting
 
Reputational Risk
byCapco
 
ERM: DIFFERENCES BETWEEN SECTORS
byMichel Rochette
 
Wisegate_GeekSpeak_LG
byBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Captains in Disruption
byStrategy&, a member of the PwC network
 
Negotiation Strategies: Using Game Theory and Decision Tree Analysis to Deter...
bybrucelb
 
Trends shaping the future of legal risk management by dave cunningham and m...
byDavid Cunningham
 
How to Instill Ethics in Commercial Lending: Understanding Due Diligence
byColleen Beck-Domanico
 
Credit Union Cyber Security
byStacy Willis
 
Common Objectives of the CRO and the CAE
byWheelhouse Advisors LLC
 
Privacy Breaches - The Private Sector Perspective
bycanadianlawyer
 
Best practice in reputation management in a causal framework by Dr Kevin Money
byAddison Group
 
How To Present Cyber Security To Senior Management Complete Deck
bySlideTeam
 
The Lesson of Lost Value
byStrategy&, a member of the PwC network
 
Experion Data Breach Response Excerpts
byPeter Henley
 
Disaster management basics rev 1
byGeary Sikich
 
The Litigation Risk Management Approach to Strategic Litigation and Settlement
bybrucelb
 
IRMI Captive Insurance Issues and Trends 2017
byΔρ. Γιώργος K. Κασάπης
 
Probability Assessment:
 How Do We Get "Good" Numbers For Litigation Decision...
bybrucelb
 
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
byWolfPAC - Integrated Risk Management
 
BCI Counting The Cost
byhaemmerle-consulting
 

Viewers also liked

PPTX
Azinternettrtnete 120312140342-phpapp01
byRóbert Moór
 
PPS
Hardverek elnevezese
byRóbert Moór
 
PPS
Informatika története
byRóbert Moór
 
PPTX
Michael Naimark
byHugo Santana-Lemes
 
PPTX
Pedagógiai információforrások
byRóbert Moór
 
PDF
ASSIGNMENT 2
byFarah Azudin
 
DOCX
Digitális kompetenciák - produktivitás
byRóbert Moór
 
PDF
Ac aquaero 4.00_20071105engl
byantonellosuperstar
 
PPT
улыбнитесь
byjulial334
 
PDF
Code.org értékelése
byRóbert Moór
 
PPTX
Digitális kompetenciák
byRóbert Moór
 
PDF
ASSIGNMENT 2
byFarah Azudin
 
PPTX
What About Form?
byHugo Santana-Lemes
 
PPTX
Listing site independence for vacation rental managers by vrm intel
byAmy Hinote
 
PPTX
Rajzok készítése android rendszerben
byRóbert Moór
 
PPTX
Customer Service for Vacation Rentals
byAmy Hinote
 
DOCX
Group assignment 2
byFarah Azudin
 
PPTX
Revenge of the Vacation Rental Manager
byAmy Hinote
 
Azinternettrtnete 120312140342-phpapp01
byRóbert Moór
 
Hardverek elnevezese
byRóbert Moór
 
Informatika története
byRóbert Moór
 
Michael Naimark
byHugo Santana-Lemes
 
Pedagógiai információforrások
byRóbert Moór
 
ASSIGNMENT 2
byFarah Azudin
 
Digitális kompetenciák - produktivitás
byRóbert Moór
 
Ac aquaero 4.00_20071105engl
byantonellosuperstar
 
улыбнитесь
byjulial334
 
Code.org értékelése
byRóbert Moór
 
Digitális kompetenciák
byRóbert Moór
 
ASSIGNMENT 2
byFarah Azudin
 
What About Form?
byHugo Santana-Lemes
 
Listing site independence for vacation rental managers by vrm intel
byAmy Hinote
 
Rajzok készítése android rendszerben
byRóbert Moór
 
Customer Service for Vacation Rentals
byAmy Hinote
 
Group assignment 2
byFarah Azudin
 
Revenge of the Vacation Rental Manager
byAmy Hinote
 

Similar to 2007 CPM West Keynote Presentation

PPTX
Integrating Resiliency As A Strategic Priority
byGeoff Rodrigues
 
PPTX
Integrating Resiliency As A Strategic Priority
byGeoff Rodrigues
 
PPTX
What Is Corporate Resilience
byBBRAES
 
PDF
Business Resilience
byrix57
 
PDF
Disaster Management for Nursing Homes
byShane Molinari
 
PPT
Risk Based Approach To Recovery And Continuity Management John P Morency
byjmorency1952
 
PPTX
"I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur,...
byAnup Narayanan
 
PPT
The Business Case to Prepare
byCarol Dunn
 
PPTX
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
bySteve Werby
 
PPTX
Assuring Digital Strategic Initiatives by
byFirstMutualHoldings
 
PPT
Ignorance Is Risk
byJeromie Jackson
 
PDF
Implementing a Security Framework based on ISO/IEC 27002
bypgpmikey
 
PDF
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
bySilverStormSolutions
 
PDF
SBIC Report : Transforming Information Security: Future-Proofing Processes
byEMC
 
PDF
MacIT 2014 - Essential Security & Risk Fundamentals
byAlison Gianotto
 
PDF
Information Security Awareness
byNet at Work
 
PDF
Business Continuity Management
byECC International
 
PDF
IT Optimization & Risk Management
byJeromie Jackson
 
PPTX
2016 Risk Management Workshop
byStacy Willis
 
PDF
2005 issa journal-risk-management
byasundaram1
 
Integrating Resiliency As A Strategic Priority
byGeoff Rodrigues
 
Integrating Resiliency As A Strategic Priority
byGeoff Rodrigues
 
What Is Corporate Resilience
byBBRAES
 
Business Resilience
byrix57
 
Disaster Management for Nursing Homes
byShane Molinari
 
Risk Based Approach To Recovery And Continuity Management John P Morency
byjmorency1952
 
"I am Certified, but am I Safe?" - Information Security Summit, Kuala Lumpur,...
byAnup Narayanan
 
The Business Case to Prepare
byCarol Dunn
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
bySteve Werby
 
Assuring Digital Strategic Initiatives by
byFirstMutualHoldings
 
Ignorance Is Risk
byJeromie Jackson
 
Implementing a Security Framework based on ISO/IEC 27002
bypgpmikey
 
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
bySilverStormSolutions
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
byEMC
 
MacIT 2014 - Essential Security & Risk Fundamentals
byAlison Gianotto
 
Information Security Awareness
byNet at Work
 
Business Continuity Management
byECC International
 
IT Optimization & Risk Management
byJeromie Jackson
 
2016 Risk Management Workshop
byStacy Willis
 
2005 issa journal-risk-management
byasundaram1
 

2007 CPM West Keynote Presentation

  • 1.
    10 Avoidable Mistakesfor Executives in Resiliency Management Presented by: Jon Murphy, CISSP, CHS-V, PMP, CBCP, CDCP, NSA-IAM/IEM, MBA, AANG Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
  • 2.
    Disclaimer All thoughtsand opinions expressed in this presentation, or by Jon Murphy directly, are his own and should not be interpreted as those of any current, past, future employer, client, or any other organization that may or may not be mentioned. The mention of any organizations should not be interpreted as endorsement. Some material contained herein was obtained and is used with the express written permission of various organizations and may not be used or reproduced in any way without each of these parties’ express written consent in advance.
  • 3.
    Contents Objectives Influenceof Leadership The Mistakes BC Is Not the Same as DR Is Not the Same as CM/EM Insurance vs. Assurance InfoSec’s Ever-increasing Role ALL the Costs of Disaster Exercising & Testing Plans The Components of Organizational Resiliency Too Much from Too Few How Much is Enough? Regulatory Compliance, The Gorilla Who Keeps Growing! Service Providers Summary
  • 4.
    Objectives Learn the10 most common mistakes and the misconceptions behind them Why they are “disastrous” How to correct/avoid them
  • 5.
    On Leadership’s Influence People make history, and not the other way around. In periods where there is no leadership, organizations and even society as a whole, stand still. Progress occurs when courageous, skillful leaders seize the opportunity to see things differently and change things for the better. As paraphrased from a quote by Harry S Truman 33rd president of US (1884 - 1972)
  • 6.
    (par – a– digm) A set of assumptions, concepts, values, and practices that constitutes a way of viewing reality for the community that shares them.
  • 7.
    Assessing Your Leadership’sParadigm Have any ever weathered a personal crisis? Have any experienced a corporate crisis? How much money are they investing to mitigate & prepare? Are they investing their time, personally? Are bonuses tied to results?
  • 8.
    Organizational Resiliency Theability spectrum of an enterprise to first avoid interruption and then promptly return to as near as possible to business as usual after responding to a business interruption
  • 9.
  • 10.
    Mistake # 1Business Continuity, Disaster Recovery, Crisis/Emergency Management are really all the same thing
  • 11.
    No! All threeare different and each is vital! BC is… Re-establishment of mission critical business processes Business area centric DR is … Re-establishment of the technical infrastructure capabilities IT & TeleCom centric CM/EM is … Immediate local response to stem further damage/loss People centric
  • 12.
    It’s Everybody’s Business Organizational Resiliency EMERGENCY MANAGEMENT IT DISASTER RECOVERY FACILITIES MANAGEMENT HUMAN RESOURCES PHYSICAL SECURITY COMMUNICATIONS & PR KNOWLEDGE MANAGEMENT SUPPLY CHAIN MANAGEMENT QUALITY MANAGEMENT OPERAATIONS MANAGEMENT FINANCE MANAGEMENT ENVIRONMENT MANAGEMENT
  • 13.
    Mistake # 2BC/DR/CM is All Just Another Type/Level of Insurance
  • 14.
    Failure to planand prepare can be costly Loss of lives Loss of property Lost revenue; ≈ $x,000,000 per day Lost Customer Confidence Lost Market Share Tarnished Image Fines & Jail Time
  • 15.
    BII: adequate forthese or not? Risk Event Percent Affected Business Impact Power outage 88% High Telecom failure 57% Medium to High Hardware failure 56% Low to High Natural disaster 55% Medium to Very High Human error 53% Low to High Software failure 48% Low to High Service provider failure 39% Medium to High IT Security breach 36% Medium to Very High Facility move 33% Medium to High Terrorists' Acts 21% Medium to Very High Physical Security Breach 18% Medium to Very High Fire 12% Medium to Very High
  • 16.
    Unjustified Assumptions Allof your people will survive the disaster Your organization is important to the utility (& other supplier) companies Your generator’s fuel supply will outlast the disaster Airplanes and specialty transportation will always be available
  • 17.
    Mistake # 3Information Security is a synonym for “Paranoid Geek”
  • 18.
    Information Security isyour Best Partner in Getting to “Yes”
  • 19.
    InfoSec Facts Gartnerreports the number one category of spend for most CIOs in 2006 was InfoSec related A March ’06 Forrester survey indicated that most CEOs rank InfoSec Breaches and Downtime as their #1 IT related concerns The FBI estimates the cost of computer crime at ≈ $190B   in 2005, the vast majority of that amount from American businesses’ bottom line 2009 new viruses (including worms and trojans but not variants) unleashed in 2005 (Research by SATO) In 2003, Global 1000 companies spent ≈ $5M each on troubleshooting corrupted PC issues (Research by SRI).
  • 20.
    Mistake # 4Downtime is already calculated into our SLA and is just an expected part of doing business
  • 21.
    Valuing ALL the Costs of Disaster Most organizations do a decent job at capturing hard dollar costs of interruptions Often forgotten are the soft #s; Cost of idle staff Loss of paper records Loss of works in progress on PCs in notebooks Alternate quarters acquisition Bad press How much is your brand reputation worth?
  • 22.
    Tangible Disaster Impact6 yr Total Revenues % Decrease $16.98 B 0% $12.97 B 23.60% $5.38B 68.32%
  • 23.
    Time to Recoveryin Days Costs 1 3 7 20 30 R 5X 18X 45X ∞ Recovery Costs Factor R + C + S + Complete Market Loss (M) R + C + Shareholder Confidence Loss (S) R + Customer Confidence Loss (C) Predominantly Just Revenue Loss (R) Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
  • 24.
    Mistake # 5Testing/exercising – the same thing and is an annual waste of time and loss of productivity
  • 25.
    Testing & ExercisingPlans “ Testing” vs. “Exercising” Types of exercises Objectives “ Failing” an exercise
  • 26.
    Graphically Speaking …Range of Impact to the Organization C O P I N G R E S O U R C E S Normal Emergency Disaster Event Impact Organization’s Level of Coping Resources Disaster Realm ↑ ↓ Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
  • 27.
    After Mitigation, Prep,Training … Range of Impact to the Organization C O P I N G R E S O U R C E S Normal Emergency Disaster Event Impact Organization’s Level of Coping Resources Disaster Realm ↑ ↓ Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
  • 28.
    Mistake # 6Breaking up responsibility and accountability for “resiliency” (whatever that is) is a good thing
  • 29.
    To Silo orNot to Silo; The Components of Organizational Resiliency A Program Management Office Approach More than just BC & DR Benefits BC DR ER/CM RC IS The Risk Management Program Office
  • 30.
    Mistake # 7One coordinator or manager level staffer is sufficient
  • 31.
    Asking Too Muchfrom Too Few Common to have only a “BC/DR “coordinator” Reports to a manager, not an executive No staff Little if any budget Not a priority until an “OOS” moment No respect
  • 32.
    Ad Hoc orDedicated Roles $ ize matters Marketing/business model matters Industry matters Criticality matters Organizational maturity matters
  • 33.
    Mistake # 8A single digit percentage of one year’s IT budget spend over 3-5 years is all that is needed
  • 34.
    How Much Mitigationis Enough? Careful in doing comparisons… How much do you need to protect? How much can you afford to lose? OppX or CapX constrained? What is the organization’s risk tolerance?
  • 35.
    Response & RecoveryCapability Minimal, 30 days Good, < 3 days Better, < 1 day Initial Costs Additional Costs ATOD Costs An Investment Starting Point Copyright © 2002 – 2011 All Rights Reserved. Jon Murphy
  • 36.
    Mistake # 9Regulations and compliance is just the Finance department’s concern
  • 37.
    Regulatory Compliance –an Ever Changing World
  • 38.
    Mistake # 10We have a contract with XYZ Corp and they have our continuity problems all taken care of
  • 39.
    Service Providers –Panacea or Puffery Local and out of region providers Look beyond the usual suspects One service provider already under contract may have other services to offer as a bundle Beware of over-subscription Test them too Consider mutual aide-like agreements
  • 40.
    Where would yourather be?
  • 41.
    Summary Don’t confusethe disciplines as being one in the same Be Assured not just Insured InfoSec is your friend Calculate all the costs, nit just downtime Exercise and Tests are Vital Have all the players on the same team Staff (#s) appropriately and at the right levels Proactively choose if you want to pay some now, or a lot later Pay attention to compliance Know what you are getting from service providers

Editor's Notes

  • #5 And… In keeping with that thought… Lets find out exactly what we will look at today.
  • #8 Why apocalyptic How to avoid
  • #10 Eisenhower quote vs Shane &amp; John M approach Are key responders fully aware of the org’s dependency and has the org made plans to take care of their special needs What about critical responders who are temporarily unavailable or impaired What is your org’s policy on impaired persons in an emergency?
  • #12 BCP Activities include: Customer, partner, supplier communications and manual workarounds; possible alternate quarters DRP activities include: data recovery, server recovery, network re-routing, hot site spin up, etc. Tell the oilwell fitting company story Mention other domains Why apocalyptic and how to avoid
  • #13 All these functions, and probably more, need BC addressed, though as I said, DR for us is a more critical role than for some others firms What about support functions we take for granted, mail and other deliveries, custodial, etc.
  • #16 CPM surveyed the Fortune 5000 in 2004 and some 2800 respondents reported these results. 30% of all businesses that have a major fire go out of business within a year. 70% fail within 5 years. ( Research by Gartner Group ) 93% of companies that lost their works-in-progress data for 10 days or more due to a disaster, filed for bankruptcy within 1 year of the disaster. ( National Archives &amp; Records Administration, Washington DC ) 50% of businesses that found themselves without data recovery from PCs for this same time period filed for bankruptcy immediately. ( National Archives &amp; Records Administration, Washington DC ) What about a pandemic, has your org started any research or planning around Avian Flu mutating to a human infectious form? What about falling water? Will your BII cover the expensive decorations that adorn HQ?
  • #17 You need to know where to get replacement employees or contract workers who can take up the slack in such a situation.  If your systems are so customized that such workers can’t be found, then you’ve identified another key vulnerability for your organization. Many planners simply assume that because of the nature of their organization (bank, nursing home, etc), the utility companies will assign them a high priority in their recovery operations.  During the 2004 hurricane devastation in Florida, many nursing home operators - who simply assumed that they had the same priority as hospitals - found out that they were actually lower-level in priority than most businesses. Find out BEFORE disaster strikes! Most diesel-powered generators only have about a three-day supply of fuel in their supply tanks.  Often, during a disaster, areas become inaccessible to fuel trucks for longer periods of time than that, and alternate plans need to be drawn up for that eventuality. Many organizations are dependent upon air deliveries of key items.  An example would be drug companies who are delivering test samples for clinical trials.  These deliveries were completely disrupted after 9/11 when the entire air fleet of the country was grounded.  Another example would be organizations who have arranged for air delivery of replacement computers in a disaster–just the time when airports might be closed.  Alternative means of transportation need to be identified in advance to cover these eventualities.
  • #19 Mention article coming out and prez at DRJ FW 06 on IS meeting Homeland security
  • #23 All lines represent all the EI brands’ contribution. Green is Business As Usual, Orange is impact of the 50% loss of Hotels.com (complete outage time of 15 days, plus less than 100% operation time, plus damage to brand) and red is the impact of the 50% loss of Expedia.com (complete outage time of 30 days, plus less than 100% operation time, plus damage to brand)
  • #24 Recovery Costs Factor exponential growth over time curve source; Sir Andrew Hiles, the British Continuity Institute and the British Standards Institute 2002. Actual $ figures sourced from Expedia FP&amp;A 2005
  • #26 Discuss loss of ability to purchase and pay Coordination with local jurisdiction’s emergency services and EPD
  • #27 The less mitigation/prep/training is undertaken, the organization’s coping level is lower and makes the Disaster Realm larger.
  • #28 As more mitigation/prep/training is undertaken, the organization’s coping level rises and makes the Disaster Realm smaller.
  • #33 Repository and corporate memory of lessons learned Nearby risks?
  • #36 Up front costs + RTO costs + Additional recovery costs = total cost / impact Include cost to manage brand impact (advertising, coupons, marketing…) Investing more up front reduces other costs
  • #38 I thought about alternately titling this slide…”And the regulators shall inherit the earth”. I know you all realize that is not even all the pertinent heavy hitter regs, for instance FACTA, FISMA, GLBA are not even covered here!