The Revere Group - Making A Case For Disaster Recovery
1. Making a Case for Disaster Recovery Business Continuity & Disaster Recovery Planning Chris A. Davis Greg Clotfelter Business Continuity & Security ManagementPractice
2. Agenda Revere Overview Introduction to BC & DR BCP Objectives Business Impact Analysis Open Discussion and Q & A
3. A History of Revere Growth 2007 LOS ANGELES 2007 DENVER 2007 ORLANDO 2005 BOSTON 1999 CHARLOTTE 1996 MILWAUKEE 1994 CHICAGO 1992 SAN FRANCISCO
4. The Revere Group’s Services Operational Efficiency Analytics and Collaboration Enterprise Platforms Managed Services Interactive IT Strategy Organizational Change Management Process Optimization Business Continuity Security Planning Supply Chain Management Governance Compliance Web Strategy Interactive Design Usability Web and Interactive Development Social Media E-Commerce CMS SEO Business Intelligence Portals Workflow Lawson Microsoft Oracle I PeopleSoft SAP Java/J2EE Open Source Application Management Infrastructure Management Database Support Managed Hosting IT Departmental Outsourcing
5. Trusted Advisor to Hundreds of Clients Manufacturing, Distribution & Trade Insurance Healthcare Financial Services Aurora Bellin Hospital Brookdale Senior Living Briggs Medical Services Company CuraScripts Evanston Northwestern Healthcare Extendicare Health Services Father Martin Ashley Florida Hospital Froedtert Global Health Direct Loyola Physicians Foundation Memorial Healthcare Systems Northwestern Medical Faculty Foundation St. Mary's Hospital Thedacare University of Wisconsin Hospital & Clinics Bank of America BB&T Chase Bank CNL Financial Equity Investments Fifth Third Bank Fort Dearborn Associates GunnAllen Financial Lexis Nexis Mitsubishi UFJ Securities The Northern Trust Company Trustco Bank U.S. Bank Wachovia Angus Palm AIT Worldwide Logistics DB Aviation Focus Products Group Haworth Hub Group Kawasaki Masco Corporation NITCO Pampered Chef PepsiAmericas, Inc. Rockwell Collins Santa’s Best SPX Corporation Toyota Motor Sales TTX WMS Gaming Zebra Technologies AJ Gallagher AON BCBS Association BCBS of North Carolina BCBS of Tennessee CNA Insurance CUNA Mutual First Penn Hannover Life Re HUB International Markel Insurance SUA Insurance United Healthcare Zurich Life/Chase Utilities Media and Entertainment Consumer Products Services Ascent Media CBS Lionsgate Films NBC Universal New Regency Films Playboy Scholastic Book Publishing Screen Actors Guild Sony Pictures Entertainment Sun Times Universal Music Group CoAdvantage Grant Thornton H & R Block Hewitt Associates, Inc. Illinois Facilities Fund Jefferson Wells International Lettuce Entertain You Enterprises Starcom MediaVest Group The BECO Group Verio Arch Communications Ameritech Anixter Duke Energy Nicor Santee Cooper Sprint Coca-Cola Company Culver's Family Dollar Stores Follett Kohl's Corporation Kraft Foods, Inc. Land of Nod Peapod ShopKo
6. Today’s Reality “Only 38% of Fortune 1000 C-level executives surveyed in an independent study believe their companies are ‘very effective’ at identifying and managing all potentially significant risks that could negatively impact business, operational or financial performance.” – based upon a survey commissioned by Protivity Not all disasters are caused by external uncontrollable factors in fact 80% of all declared disasters are internal to the organization. Many enterprises mistakenly view business continuity management as an insurance policy that they will never need to place a claim against because of their “it won’t happen to me” mentality. High-profile events such as the Sept. 11 attacks, the failures of firms such as Enron and WorldCom, and the 14 August 2003 blackout in the U.S. Northeast and Canada are focusing government and regulatory attention on changes in corporate governance, transparency and wider issues of enterprise risk management. This attention and these changes will affect business continuity management. “Well managed companies manage risk well.” 6
12. 11 “Well Managed Companies Manage Risk Well” Into Which Category Could Your Firm Fall? % of Firms With No Disaster Plan Who Survive Catastrophe 40% FailWithin 5 Years Only 20%Survive! 40% Never Reopen
16. Mitigate their impacts before and after an eventAssure that each datacenter is prepared to activate the resumption and support of critical IT services. Continue/resume time-sensitive business operations for the critical and essential application systems required to support business operations.
30. Conducting a Business Impact AnalysisAn 11 step process… Identify the intangible impacts that make up the significant risk exposures to the organization. One intangible impact may be that the organization will lose employees and jeopardize recovery efforts if employees aren’t paid in a timely manner. Where possible, contracted service level agreements and any associated penalties should be identified, along with legal or regulatory penalties. Force majeure clauses should be reviewed as well, as some insurance carriers have specific guidelines designed to protect organization.
31. Conducting a Business Impact AnalysisAn 11 step process… Financial impacts to the organization as a result of process unavailability can be applied to each function. The BIA seeks to identify both direct and indirect financial impacts. Consider the many types of revenue loss for the organization as some may not truly be a loss but deferred income.
32. Conducting a Business Impact AnalysisAn 11 step process… Develop the potential financial loss exposure: First, get the REVENUE figures for the last year by month. Take the biggest revenue generating month and divide by the number of work days. Second, get the figures on EXPENSES per month (wages, rent, fixed expenses, etc) and do the same thing. Third, add in any potential REGULATORY FINES or anything else that could be added. Understand that some revenue may be recouped at different times, and some expenses will be higher (especially if employees have to go to overtime to make up the backlog for example), but it at least gives an example of a starting point from which to further refine. More on this in a moment, but first…
33. Conducting a Business Impact AnalysisAn 11 step process… Analyze and document results, impact categories and potential financial loss to confirm recovery priorities and business unit recovery sequence. Conduct workshops to gain consensus and validate responses, especially the RTO’s, and communicate any ancillary benefits to executive management, for example: streamlining operations, identifying outdated technologies, unrealistic spending, business process improvement, outsourcing opportunities, single points of failure, etc.
38. Telecommunications: $2.0M “Back of the Envelope” Sample Loss Exposure Taken from the 2007* Annual Report REVENUE ≈ $6.15M EXPENSES ≈ $6.91M Annualized Loss Exposure ≈ $13M Monthly ≈ $1.08M Daily (assume 30 days) ≈ $ 36,000 Hourly (assume 24 hours) ≈ $1,500
39.
40. Perform an Informal Business Impact Analysis and Risk Assessment - Business continuity and disaster recovery planners should interview line-of-business (LOB) managers to determine the impact on business processes if specific sites or resources should become unavailable.
41. Understand Current Efforts – Your organization may currently have a DR plan in place, or all too often, recovery procedures exist inside the heads of administrators. either of these is the case, it is important to understand several key characteristics of the current efforts, such as: when the last time a drill was executed, who ran the drill, was it successful, what were the lessons learned, and has it had any continued impact on the organization.
77. Conclusion – Q&A SessionDisasters Happen! Are you ready? Questions ??? The Revere Group Contact Information: Greg Clotfelter – gclotfelter@reveregroup.com Chris A. Davis – cdavis@reveregroup.com John Janachowski, Certified Business Continuity Professional jjanacho@reveregroup.com