Kpmg Business Continuity Planning An experience based approach Tamás Gaidosch Director, Information...
-
Upload
abbey-lite -
Category
Documents
-
view
220 -
download
1
Transcript of Kpmg Business Continuity Planning An experience based approach Tamás Gaidosch Director, Information...
kpmg Business Continuity PlanningBusiness Continuity Planning
An experience based approach
Tamás GaidoschDirector, Information Risk ManagementKPMG Central and Eastern Europe+36 1 270 [email protected]
Piaţa FinanciarăCentre de Continuitate Operaţională şiRecuperare din Dezastre - ediţia II
Bucuresti, 11.02.2003
2
kpmg AgendaAgenda
KPMG in a nutshell Definitions
- BCP, DRP, etc…what are we talking about?
Goals- what do we want to achieve?
The method - a practical way to achieve the goals
The experience - what works and what does not?
Q & A
3
kpmg KPMG in a nutshellKPMG in a nutshell
One of the leading professional services firms
Offices in more than 160 countries Over 100 000 professional staff
worldwide Central and Eastern Europe: 15
countries, over 2 500 professional staff
- full breadth of audit and consulting services
4
kpmg Information Risk Management (IRM)Information Risk Management (IRM)
Audit and other financial
assurance services IT Consulting
Information Risk Management
(IRM)
IRM services
E-AdvisoryE-Assurance
5
kpmg DefinitionsDefinitions
DRP (Disaster Recovery Plan)- the roots of business continuity planning (‘70s)- focused on IT recovery
BCP (Business Continuity Plan)- scope extended to the business processes
BCM (Business Continuity Management)
- focuses on continuous availability
CM (Crisis Management)- deals with big disasters
6
kpmg GoalsGoals
Recovery of services- as fast as possible- as cost effective as
possible
What do we want to achieve with a BCP?
7
kpmg Why bother?Why bother?
Image, good reputation Meet client expectations Minimise financial losses Regulatory compliance Manage operational risk
Tomorrow: TO SURVIVE
8
kpmg NumbersNumbers
Average loss caused by one hour of IT disruption
Industry USD
Brokerage 7 840 000
Card authorisation 3 160 000
Pay-per-view 183 000
TV shopping 137 000
Airway reservations 108 000
Parcel services 34 000
ATM fees 18 000
Source: Datamotion
9
kpmg
40%
40%
20%
Process People Technolgy
NumbersNumbers
Causes of IT disruptions
Source: Gartner Group
11
kpmg The methodThe method
100%
0%Bus. Processes Bus. Processes
Event
Activate
Verify
Business Continuity as a processBusiness Continuity as a process
12
kpmg The methodThe method
Preparation- Before the event
Response- immediately after the event
Transient operations- alternative processes- diminished capacity and functionality
Recovery- returning to normal operations
Phases of the the planPhases of the the plan
13
kpmg Running a BCP projectRunning a BCP project
Business impact analysis (BIA) Plan development Implementation Testing Training Maintenance
14
kpmg Business Impact Analysis (BIA)Business Impact Analysis (BIA)
Process and risk assessment Impacts of disruption
- financial- operational- legal- reputation
Results- priorities of business processes- critical processes and systems- maximum allowable downtimes
15
kpmg Business Impact Analysis (BIA)Business Impact Analysis (BIA)
Business Process
day 1 2-3. 4-5. week 2 3-4Business UnitTreasury Cash supply of branches
Cash managementBulk deposits
BranchNetwork
Cash transactionsTransfersClaims resolutionLoans
Central Cust. Care
Non-stop Call CenterClaims resolution
Low Medium Severe
after disruption
Financial impact of disruption
16
kpmg The experienceThe experience
For major financial institutions Typical length: 6-8 months Typical effort: 5-6 manyears Typical outputs
- 1200+ pages of analysis and plans- customised BCP software solutions- hundreds of staff trained
Projects deliveredProjects delivered
17
kpmg The experienceThe experience
The business impact analysis is crucial!
- deep business understanding and experience- experience in business and risk analysis- objectivity (?)
The method is less important Software (database) support No testing = waste of money No maintenance = false sense of
safety
What is key and what is notWhat is key and what is not??
18
kpmg The experienceThe experience
Employees- their participation is a must
External consultants- not absolutely necessary, but:
bring in wide experience and support tools do not start from ground zero, do not commit
basic mistakes, do not get stuck in the process
help the objectivity (external eye)
External IT providers- they know the most about their systems
Who should do the projectWho should do the project??
19
kpmg The experienceThe experience
Thick, cumbersome manual A piece of work done by the IT and for
the IT Only known to those who created it Result of a compulsory homework,
without support and staff not trusting it
Gathering dust on a shelf somewhere...
How to tell a bad plan?How to tell a bad plan?
20
kpmg The experienceThe experience
Easy to use, well structured Covers all important areas Testable and maintainable Up-to-date (timely inclusion of
changes) A living and well-known document
How to tell a good planHow to tell a good plan??
21
kpmg The broader viewThe broader view
Business Continuity
Planning (BCP)
Proactive and preventive(strategic)
Fast reaction and recovery (tactical)
Enterprise High Availability
(EHA)
Availability
Service Level Management (SLM)
ReliabilityIssue
Solution
Focus
Goal
.
Achieve and maintain set availability targets
Effectively manage and control the IT infrastructure to improve overall operational reliability
Minimise downtime of critical processes in the event of a major disruption
Recoverability
Business Continuity Management ServicesBusiness Continuity Management Services
22
kpmg Q & AQ & A
Tamás GaidoschDirector, Information Risk ManagementKPMG Central and Eastern Europe+36 1 270 [email protected]