Patrick Corcoran, Global Business Development Executive

Patrick Corcoran, Global Business Development Executive
Business Continuity & Resiliency Services (BCRS)
Key Trends Driving Global Business Resilience and
Risk
© 2010 IBM Corporation
Agenda
 What is Resiliency?
 Resiliency: The CIO perspective
 Moving forward: Building a comprehensive business resilience strategy
 Regional Event Learnings
2
© 2011 IBM Corporation
Business resilience refers to the ability of enterprises to
adapt to a continuously changing business environment.
Business resilience helps organizations maintain
continuous operations and protect their market share
in the face of disruptions such as natural or man-made
disasters. It requires the engagement
of everyone in the organization and often means
a change in corporate culture to instill awareness
of risk.
Business resilience planning is distinguished from
enterprise risk management (ERM) in that it is more likely
to build capacity to seize opportunities created by
unexpected events.
3
© 2011 IBM Corporation
As budgets shrink and service level requirements increase, our
business becomes even more vulnerable to data loss.
Changing environment
 Expanding risk exposures
 Increased global and regional
interdependencies
 Supply chain disruption
More complex regulations
 Changing industry and regulatory
standards
 Geographic dispersal requirements
 Varying regulations per country
Heightened impact of business
disruption
 Greater financial implications of
downtime
 Brand vulnerabilities
 Data integrity requirements
Impact of coping with the
Impact offinancial
coping with
the financial
turmoil
turmoil
 Loss of critical personnel
 Loss
of critical
personnel
 Loss
of key
knowledge
 Loss of key knowledge
 Reduction
in attention
to
 Reduction
in attention
to significance
of risk significance of risk
Reduction
in testing
recovery
Reduction
in testing
recovery
plans
plans
Disaster recovery and business continuity is one of the top IT spending
priorities for many businesses.
4
© 2011 IBM Corporation
The continuous flow of information is inseparable from the
operational performance of the business.
The Facts
 Information technology is often at the epicenter of how a firm interacts with its clients
 Information technology is always a lever to produce highly efficient supply chains, operations
and workflows
 In combination, these two dynamics generate an explosive growth of managed data
The Implications
 Business resilience and information risk management are commonly on the agenda of the
board of directors
 Firms must assess: Are we compliant? Are we reliable? Can we be trusted?
 Firms must decide how resilient they wish to be – contextualized in the availability, security
and recoverability of their business operations
 Firms must evaluate the extent to which competitive advantage or disadvantage is influenced
by their chosen resilience standing
5
© 2011 IBM Corporation
We see both risks and opportunities affecting firms business
resilience needs
Data driven
Frequency of
occurrences
per year
Viruses
Data corruption
Disk failures
Frequent
Worms
1,000
100
Data growth
System availability failures
Long term preservation
Application outages
Audits
Network problems
New products
10
1
Regulatory compliance
Governance
Event driven
Failure to meet
industry standards
Terrorism/civil unrest
Marketing campaigns
1/10
Infrequent
Business driven
Building fires
Workplace inaccessibility
1/100
Regional power failures
1/1,000
Natural disasters
Pandemics
1/10,000
1/100,000
Mergers and
acquisitions
US$1,000
Low
US$10,000
US$100,000
US$1,000,000
US$10,000,000
Consequences (single occurrence loss) in dollars per occurrence
US$100,000,000
High
Source: IBM
6
© 2011 IBM Corporation
But there are many other events that have caused business
disruptions/outages that don’t make headlines, but can be just
as costly.
A/C Failure
Acid Leak
Asbestos
Bomb Threat
Bomb Blast
Brown Out
Burst Pipe
Cable Cut
Chemical Spill
CO Fire
Coffee Machine
Condensation
Construction
Coolant Leak
Cooling Tower Leak
Corrupted Data
Diesel Generator
Earthquake
Electrical Short
Epidemic
Evacuation
Explosion
Fire
Flood
Fraud
Frozen Pipes
Hacker
Hail Storm
Halon Discharge
Human Error
Humidity
Hurricane
HVAC Failure
H/W Error
Ice Storm
Insects
Lightning
Logic Bomb
Lost Data
Low Voltage
Microwave Fade
Network Failure
Pandemic
PCB Contamination
Plane Crash
Power Grid Outage
Power Outage
Power Spike
Power Surge
Programmer Error
Raw Sewage
Relocation Delay
Rodents
Roof Cave In
Sabotage
Shotgun Blast
Shredded Data
Sick building
Smoke Damage
Smoke from Restaurant
Snow Strom
Sprinkler Discharge
Static Electricity
Strike Action
Swimming Pool Leak
S/W Error
S/W Ransom
Terrorism
Theft
Toilet Overflow
Tornado
Train Derailment
Transformer Fire
UPS Failure
Vandalism
Vehicle Crash
Virus
Water (Various)
Wind Storm
Volcano / Volcano Ash
Source: Contingency Planning Research, Inc. and IBM
© 2011 IBM Corporation
Agenda
 What is Resiliency?
 Resiliency: The CIO perspective
 Moving forward: Building a comprehensive business resilience strategy
 Regional Events Learnings
8
© 2011 IBM Corporation
Who cares about resiliency?
71 %
of CIOs are
concerned about risk
management and
compliance
18
It takes
months for data
generated to double
in size
Impact of coping with the
financial
turmoil
Technology
users
expect
 Loss of critical personnel
 Loss of key knowledge
of their
applications
availability
Reduction
in attention
to
and
their information
significance
of risk
 Reduction in testing recovery
plans
100%
9
53%
of organizations
would experience
significant revenue
loss or other adverse
business impact after
1 hour of downtime
Source: Enterprise Strategy Group, April 2011
© 2011 IBM Corporation
IT plays a critical role in developing resilience strategy
IT plays a major part in building resilience
Senior IT execs expected to play strong
role in developing strategy
Business resilience is joint responsibility of
all C-level executives
CIO collaborates with top IT strategists more
frequently
Risk contingency planning assigned to
separate specialists
IT function engaged in most decisions
involving business risk
Business continuity seen as primarily
IT issue
“IT is a big part of our risk
management because
nothing can be done without it
these days.”
Business resilience not seen as role of
senior executives
Kris Wiluan, CEO,
KS Energy Services Limited
CIO has overall responsibility for business
resiliency strategy
Source: 2011 Q7. Do you agree or disagree with the following statements regarding the roles of different players in your organization's risk management strategy?
(Agree only.)
10
© 2011 IBM Corporation
To date, companies have focused heavily on creating their resilience and
risk plans — and putting supporting technologies and processes in place.
Create a business continuity plan
Invest in new risk-related IT solutions
Establish company-wide risk management team
Discuss issues with supply-chain partners
Assign overall responsibility to a single executive
Develop communications or training program
Respond to recent natural disasters by rethinking strategies
Develop integrated business resilience strategy
Engage external advisors
“What we’re trying to do
here is preserve our
culture and make money
at the same time, and
managing risk is what
that’s all about.”
Lee Garvin, Director, Risk
Management, JetBlue
11
© 2011 IBM Corporation
Risk concerns for IT leaders span a range of issues
In 2010 and 2011, IBM surveyed 560 IT managers and CIOs about how IT continuity was evolving.
In the past 12 months, what kinds of risk issues has your company dealt with?
78%
IT security
Hardware and
system malfunction
63%
50%
Power failure
40%
Physical security
Theft
28%
Product quality
issues
Federal compliance
issues
25%
22%
17%
Natural disaster
E-discovery
requests
Supply chain
breakdown
Terrorism activity
Matches survey results from Forrester
Research.
13%
11%
6%
Source: 2010 IBM Global IT Risk Study: The evolving role of IT managers
and CIOs
12
12
© 2011 IBM Corporation
More companies are embracing the need for a well-crafted
business resilience plan - and a risk management function.
Agree
Disagree
Neither
Well-crafted and communicated plan
Agree
Disagree
Agree
Disagree
Neither
No formal plan, but plan to develop one
Neither
No formal risk management function
“What we’re trying to do
here is preserve our
culture and make money
at the same time, and
managing risk is what
that’s all about.”
Lee Garvin, Director, Risk
Management, JetBlue
Study comparison:
Only 30% of respondents in this year’s
study indicated they had no formal risk
management function, compared to 42%
in the 2010 study
Source: Q1. Do you agree or disagree with the following statements regarding your organization’s IT risk
management?
Study comparison: 2010 IBM Global IT Risk Study
13
13
© 2011 IBM Corporation
Compared to their competitors, respondents viewed
themselves as better able to handle predictable resilience and
risk events.
Stronger
Same
Weaker
Maintain business operations in physical disaster
Don’t
know
Prevent unauthorized access to proprietary data
Maintain operations during a pandemic
Adapt rapidly to crisis
Align contingency plans with changing risks
Because of its impact on the business
as a whole, a crucial area for
improvement is the ability to seize
unexpected opportunities
An effective business resilience plan
will provide a robust foundation on
which to build a long-lived competitive
position supported by end-to-end risk
management.
Reliably retrieve archived data to meet legal requirements
Seize unexpected opportunities
Minimize losses from unexpected events
Source: Q4. In your opinion, how does your organization compare with its closest competitors in the following areas?
14
© 2011 IBM Corporation
Study results revealed an opportunity for companies to further
hone their competitive edge by integrating business continuity
and risk management.
Stronger
Same
Weaker
Don’t
know
IT infrastructure supports business growth
Sees value of business continuity as part of risk mgmt
Profitability
Even though organizations have
strategies for business resilience and
risk management, they may not be
integrating and leveraging those
strategies for business advantage
Market share
Revenue growth
“Companies with a robust ERM
program have lower losses,
fewer embarrassing events and
a better reputation.”
Yousef Valine, Chief Risk Officer,
First Horizon National Corporation
Source: Q9. How does your organization compare to its closest competitors in the following areas?
15
© 2011 IBM Corporation
Agenda
 What is Resiliency?
 Resiliency: The CIO perspective
 Moving forward: Building a comprehensive business resilience strategy
 Regional Events Learnings
16
© 2011 IBM Corporation
Organizations expect their business resilience and risk
management spending will continue to increase on a par with
previous increases.
Next 3 years
Up to now
14%
Increase significantly
65% of organizations expect
14%
47%
Increase
51%
33%
31%
Stay the same
Decrease
Decrease significantly
their business resilience and risk
management spending to
increase in the next three years
4%
4%
1%
1%
“My selling pitch to them
(CEO and the board) is
that a robust risk
management capability is
a competitive advantage.”
Yousef Valine, Chief Risk Officer,
First Horizon National Corporation
Source: Q3. How has your organization changed its degree of spending on initiatives to improve business resilience?
17
© 2011 IBM Corporation
A projected increase in the role played by non-IT functions
may be related to the increase in emphasis on strategy
integration and training.
Up to now
Next 3 years
CIO
IT professionals
Other C-level execs
Legal
Board members
Employees
“Detecting risk has to
happen at the point where
the behavior is occurring.”
Dr. Barbara Reynolds, Senior
Advisor, Risk Communication,
Centers for Disease Control and
Prevention (CDC)
Partners
Source: Q6a. Over the next three years, what is the expected level of involvement for the following people in your organization's risk management or business
resilience strategy? (Very involved or involved.)
Study comparison: 2010 IBM Global IT Risk Study
18
© 2011 IBM Corporation
Identifying the roadblocks: Silos and budgets can impede the
adoption of a holistic approach to business resilience
Lack of understanding
about emerging
technologies — 8%
Lack of
understanding
about best
practices —
9%
Lack of buy-in from
employees — 4%
Silos within the
organization — 28%
Study comparison:
2010 top challenges
Lack of C-level
vision and
commitment
— 14%
Implementing necessary procedures
Securing budget
Obtaining full risk picture from depts
Inability to predict ROI
from improvements —
17%
Budget
limitations
— 20%
Source: Q10. What is the biggest single barrier to implementing a holistic approach to business resilience planning?
19
© 2011 IBM Corporation
Leverage the findings of the IBM Global Business Resilience
and Risk Study in your organization
Recommendations
“An effective business
resilience plan will provide
a robust foundation on
which to build a long-lived
competitive position
supported by end-to-end
risk management.”
2011 IBM Global Business
Resilience and Risk Study report
20

An integrated approach to business resilience and risk
management offers a significant business opportunity for
organizations of all sizes

Appointing a single individual with overall business resilience and
risk management responsibility is essential to integration success

Input should be sought from throughout the enterprise —
including employees and partners

Focus should be on the business impact and business
opportunity. Recovery is a subset of the resiliency plan

Cloud technologies have matured significantly and now have the
potential to deliver significant business resilience benefits

The newly integrated business resilience and risk management
strategy can be levered to seize unexpected opportunities and
deliver measurable business value
© 2011 IBM Corporation
A resilient framework helps identify areas of risks and
vulnerabilities, and allows a company or organization to
develop a enterprise resiliency roadmap.
Risk mitigation strategies
Business driven
Data driven Event driven
Organization
Processes
Applications and Data
Technology
Business resilience
Strategy
Facilities
21
© 2011 IBM Corporation
Agenda
 What is Resiliency?
 Resiliency: The CIO perspective
 Moving forward: Building a comprehensive business resilience strategy
 Regional Events Learnings
23
© 2011 IBM Corporation
Headline events often mobilize our clients to pause and reflect
on their current IT resilience standing. . .
24
© 2011 IBM Corporation
Lessons Learned from Regional Events
 Events create other events … domino effect
– Japan: earthquake => tsunami => nuclear plant damage => power problems =>
supply chain problems ……
– Hurricanes => Flooding => Mud/Landslides => Power Outages ……
 Human issues
– Will people be available? How about their families? Financial assistance?
 Communications issues
– Communicating with, supporting and mobilizing employees, customers and
suppliers, the press and the public at large
 Community issues
– Fulfilling responsibilities to host communities
 Infrastructure issues
– Anticipating how roads, travel and power supplies might be affected
– Vulnerability of sites
 Business issues
– Keeping business processes running
– Managing insurance claims
 Disaster plan currency
– Keeping plans up to date and well tested
– Availability of data and hardware
To learn more about lessons learned from regional disasters, listen to the following webinar:
http://www-935.ibm.com/services/us/bcrs/html/web-seminar_hurricane-lessons-learned.html?&me=W&re=webseminars
25
© 2011 IBM Corporation
IBM delivers unsurpassed geographic scope, combined with
expertise of local, regional, and global needs/regulations.
 Over 160 data centers globally
 100 percent recovery for IBM clients who
have declared a disaster (over 800)
 More than 1,875 professionals dedicated to
business continuity and resiliency
 More than 9,000 disaster recovery clients
 More than 10,000 client rehearsals per year
26
 More than 50 years experience helping clients
with their backup and disaster recovery needs
 Over 800 client declarations supported since
1989
 Scalable, end-to-end, cloud-based data backup
and recovery solutions
 Five million square feet of floor space for
disaster recovery, with 40,000 seats © 2011 IBM Corporation
Business continuity and resiliency is about…
Protecting your enterprise
Mitigating business and support
issues
Increasing your competitive
advantage
Protecting brand reputation
Enabling seamless, continuous
business transactions
Exploiting market opportunities
27
© 2011 IBM Corporation
Questions?
Jay Shah
[email protected]
© 2011 IBM Corporation