kpmg Business Continuity PlanningBusiness Continuity Planning

An experience based approach

Tamás GaidoschDirector, Information Risk ManagementKPMG Central and Eastern Europe+36 1 270 7139tamas.gaidosch@kpmg.hu

Piaţa FinanciarăCentre de Continuitate Operaţională şiRecuperare din Dezastre - ediţia II

Bucuresti, 11.02.2003

2

kpmg AgendaAgenda

KPMG in a nutshell Definitions

- BCP, DRP, etc…what are we talking about?

Goals- what do we want to achieve?

The method - a practical way to achieve the goals

The experience - what works and what does not?

Q & A

3

kpmg KPMG in a nutshellKPMG in a nutshell

One of the leading professional services firms

Offices in more than 160 countries Over 100 000 professional staff

worldwide Central and Eastern Europe: 15

countries, over 2 500 professional staff

- full breadth of audit and consulting services

4

kpmg Information Risk Management (IRM)Information Risk Management (IRM)

Audit and other financial

assurance services IT Consulting

Information Risk Management

(IRM)

IRM services

E-AdvisoryE-Assurance

5

kpmg DefinitionsDefinitions

DRP (Disaster Recovery Plan)- the roots of business continuity planning (‘70s)- focused on IT recovery

BCP (Business Continuity Plan)- scope extended to the business processes

BCM (Business Continuity Management)

- focuses on continuous availability

CM (Crisis Management)- deals with big disasters

6

kpmg GoalsGoals

Recovery of services- as fast as possible- as cost effective as

possible

What do we want to achieve with a BCP?

7

kpmg Why bother?Why bother?

Image, good reputation Meet client expectations Minimise financial losses Regulatory compliance Manage operational risk

Tomorrow: TO SURVIVE

8

kpmg NumbersNumbers

Average loss caused by one hour of IT disruption

Industry USD

Brokerage 7 840 000

Card authorisation 3 160 000

Pay-per-view 183 000

TV shopping 137 000

Airway reservations 108 000

Parcel services 34 000

ATM fees 18 000

Source: Datamotion

9

kpmg

40%

40%

20%

Process People Technolgy

NumbersNumbers

Causes of IT disruptions

Source: Gartner Group

10

kpmg Costs – Costs – with planwith plan and without and without

Cost

Time

Disaster

11

kpmg The methodThe method

100%

0%Bus. Processes Bus. Processes

Event

Activate

Verify

Business Continuity as a processBusiness Continuity as a process

12

kpmg The methodThe method

Preparation- Before the event

Response- immediately after the event

Transient operations- alternative processes- diminished capacity and functionality

Recovery- returning to normal operations

Phases of the the planPhases of the the plan

13

kpmg Running a BCP projectRunning a BCP project

Business impact analysis (BIA) Plan development Implementation Testing Training Maintenance

14

kpmg Business Impact Analysis (BIA)Business Impact Analysis (BIA)

Process and risk assessment Impacts of disruption

- financial- operational- legal- reputation

Results- priorities of business processes- critical processes and systems- maximum allowable downtimes

15

kpmg Business Impact Analysis (BIA)Business Impact Analysis (BIA)

Business Process

day 1 2-3. 4-5. week 2 3-4Business UnitTreasury Cash supply of branches

Cash managementBulk deposits

BranchNetwork

Cash transactionsTransfersClaims resolutionLoans

Central Cust. Care

Non-stop Call CenterClaims resolution

Low Medium Severe

after disruption

Financial impact of disruption

16

kpmg The experienceThe experience

For major financial institutions Typical length: 6-8 months Typical effort: 5-6 manyears Typical outputs

- 1200+ pages of analysis and plans- customised BCP software solutions- hundreds of staff trained

Projects deliveredProjects delivered

17

kpmg The experienceThe experience

The business impact analysis is crucial!

- deep business understanding and experience- experience in business and risk analysis- objectivity (?)

The method is less important Software (database) support No testing = waste of money No maintenance = false sense of

safety

What is key and what is notWhat is key and what is not??

18

kpmg The experienceThe experience

Employees- their participation is a must

External consultants- not absolutely necessary, but:

bring in wide experience and support tools do not start from ground zero, do not commit

basic mistakes, do not get stuck in the process

help the objectivity (external eye)

External IT providers- they know the most about their systems

Who should do the projectWho should do the project??

19

kpmg The experienceThe experience

Thick, cumbersome manual A piece of work done by the IT and for

the IT Only known to those who created it Result of a compulsory homework,

without support and staff not trusting it

Gathering dust on a shelf somewhere...

How to tell a bad plan?How to tell a bad plan?

20

kpmg The experienceThe experience

Easy to use, well structured Covers all important areas Testable and maintainable Up-to-date (timely inclusion of

changes) A living and well-known document

How to tell a good planHow to tell a good plan??

21

kpmg The broader viewThe broader view

Business Continuity

Planning (BCP)

Proactive and preventive(strategic)

Fast reaction and recovery (tactical)

Enterprise High Availability

(EHA)

Availability

Service Level Management (SLM)

ReliabilityIssue

Solution

Focus

Goal

.

Achieve and maintain set availability targets

Effectively manage and control the IT infrastructure to improve overall operational reliability

Minimise downtime of critical processes in the event of a major disruption

Recoverability

Business Continuity Management ServicesBusiness Continuity Management Services

22

kpmg Q & AQ & A

Tamás GaidoschDirector, Information Risk ManagementKPMG Central and Eastern Europe+36 1 270 7139tamas.gaidosch@kpmg.hu