Patrick Corcoran, Global Business Development Executive Business Continuity & Resiliency Services (BCRS) Key Trends Driving Global Business Resilience and Risk © 2010 IBM Corporation Agenda What is Resiliency? Resiliency: The CIO perspective Moving forward: Building a comprehensive business resilience strategy Regional Event Learnings 2 © 2011 IBM Corporation Business resilience refers to the ability of enterprises to adapt to a continuously changing business environment. Business resilience helps organizations maintain continuous operations and protect their market share in the face of disruptions such as natural or man-made disasters. It requires the engagement of everyone in the organization and often means a change in corporate culture to instill awareness of risk. Business resilience planning is distinguished from enterprise risk management (ERM) in that it is more likely to build capacity to seize opportunities created by unexpected events. 3 © 2011 IBM Corporation As budgets shrink and service level requirements increase, our business becomes even more vulnerable to data loss. Changing environment Expanding risk exposures Increased global and regional interdependencies Supply chain disruption More complex regulations Changing industry and regulatory standards Geographic dispersal requirements Varying regulations per country Heightened impact of business disruption Greater financial implications of downtime Brand vulnerabilities Data integrity requirements Impact of coping with the Impact offinancial coping with the financial turmoil turmoil Loss of critical personnel Loss of critical personnel Loss of key knowledge Loss of key knowledge Reduction in attention to Reduction in attention to significance of risk significance of risk Reduction in testing recovery Reduction in testing recovery plans plans Disaster recovery and business continuity is one of the top IT spending priorities for many businesses. 4 © 2011 IBM Corporation The continuous flow of information is inseparable from the operational performance of the business. The Facts Information technology is often at the epicenter of how a firm interacts with its clients Information technology is always a lever to produce highly efficient supply chains, operations and workflows In combination, these two dynamics generate an explosive growth of managed data The Implications Business resilience and information risk management are commonly on the agenda of the board of directors Firms must assess: Are we compliant? Are we reliable? Can we be trusted? Firms must decide how resilient they wish to be – contextualized in the availability, security and recoverability of their business operations Firms must evaluate the extent to which competitive advantage or disadvantage is influenced by their chosen resilience standing 5 © 2011 IBM Corporation We see both risks and opportunities affecting firms business resilience needs Data driven Frequency of occurrences per year Viruses Data corruption Disk failures Frequent Worms 1,000 100 Data growth System availability failures Long term preservation Application outages Audits Network problems New products 10 1 Regulatory compliance Governance Event driven Failure to meet industry standards Terrorism/civil unrest Marketing campaigns 1/10 Infrequent Business driven Building fires Workplace inaccessibility 1/100 Regional power failures 1/1,000 Natural disasters Pandemics 1/10,000 1/100,000 Mergers and acquisitions US$1,000 Low US$10,000 US$100,000 US$1,000,000 US$10,000,000 Consequences (single occurrence loss) in dollars per occurrence US$100,000,000 High Source: IBM 6 © 2011 IBM Corporation But there are many other events that have caused business disruptions/outages that don’t make headlines, but can be just as costly. A/C Failure Acid Leak Asbestos Bomb Threat Bomb Blast Brown Out Burst Pipe Cable Cut Chemical Spill CO Fire Coffee Machine Condensation Construction Coolant Leak Cooling Tower Leak Corrupted Data Diesel Generator Earthquake Electrical Short Epidemic Evacuation Explosion Fire Flood Fraud Frozen Pipes Hacker Hail Storm Halon Discharge Human Error Humidity Hurricane HVAC Failure H/W Error Ice Storm Insects Lightning Logic Bomb Lost Data Low Voltage Microwave Fade Network Failure Pandemic PCB Contamination Plane Crash Power Grid Outage Power Outage Power Spike Power Surge Programmer Error Raw Sewage Relocation Delay Rodents Roof Cave In Sabotage Shotgun Blast Shredded Data Sick building Smoke Damage Smoke from Restaurant Snow Strom Sprinkler Discharge Static Electricity Strike Action Swimming Pool Leak S/W Error S/W Ransom Terrorism Theft Toilet Overflow Tornado Train Derailment Transformer Fire UPS Failure Vandalism Vehicle Crash Virus Water (Various) Wind Storm Volcano / Volcano Ash Source: Contingency Planning Research, Inc. and IBM © 2011 IBM Corporation Agenda What is Resiliency? Resiliency: The CIO perspective Moving forward: Building a comprehensive business resilience strategy Regional Events Learnings 8 © 2011 IBM Corporation Who cares about resiliency? 71 % of CIOs are concerned about risk management and compliance 18 It takes months for data generated to double in size Impact of coping with the financial turmoil Technology users expect Loss of critical personnel Loss of key knowledge of their applications availability Reduction in attention to and their information significance of risk Reduction in testing recovery plans 100% 9 53% of organizations would experience significant revenue loss or other adverse business impact after 1 hour of downtime Source: Enterprise Strategy Group, April 2011 © 2011 IBM Corporation IT plays a critical role in developing resilience strategy IT plays a major part in building resilience Senior IT execs expected to play strong role in developing strategy Business resilience is joint responsibility of all C-level executives CIO collaborates with top IT strategists more frequently Risk contingency planning assigned to separate specialists IT function engaged in most decisions involving business risk Business continuity seen as primarily IT issue “IT is a big part of our risk management because nothing can be done without it these days.” Business resilience not seen as role of senior executives Kris Wiluan, CEO, KS Energy Services Limited CIO has overall responsibility for business resiliency strategy Source: 2011 Q7. Do you agree or disagree with the following statements regarding the roles of different players in your organization's risk management strategy? (Agree only.) 10 © 2011 IBM Corporation To date, companies have focused heavily on creating their resilience and risk plans — and putting supporting technologies and processes in place. Create a business continuity plan Invest in new risk-related IT solutions Establish company-wide risk management team Discuss issues with supply-chain partners Assign overall responsibility to a single executive Develop communications or training program Respond to recent natural disasters by rethinking strategies Develop integrated business resilience strategy Engage external advisors “What we’re trying to do here is preserve our culture and make money at the same time, and managing risk is what that’s all about.” Lee Garvin, Director, Risk Management, JetBlue 11 © 2011 IBM Corporation Risk concerns for IT leaders span a range of issues In 2010 and 2011, IBM surveyed 560 IT managers and CIOs about how IT continuity was evolving. In the past 12 months, what kinds of risk issues has your company dealt with? 78% IT security Hardware and system malfunction 63% 50% Power failure 40% Physical security Theft 28% Product quality issues Federal compliance issues 25% 22% 17% Natural disaster E-discovery requests Supply chain breakdown Terrorism activity Matches survey results from Forrester Research. 13% 11% 6% Source: 2010 IBM Global IT Risk Study: The evolving role of IT managers and CIOs 12 12 © 2011 IBM Corporation More companies are embracing the need for a well-crafted business resilience plan - and a risk management function. Agree Disagree Neither Well-crafted and communicated plan Agree Disagree Agree Disagree Neither No formal plan, but plan to develop one Neither No formal risk management function “What we’re trying to do here is preserve our culture and make money at the same time, and managing risk is what that’s all about.” Lee Garvin, Director, Risk Management, JetBlue Study comparison: Only 30% of respondents in this year’s study indicated they had no formal risk management function, compared to 42% in the 2010 study Source: Q1. Do you agree or disagree with the following statements regarding your organization’s IT risk management? Study comparison: 2010 IBM Global IT Risk Study 13 13 © 2011 IBM Corporation Compared to their competitors, respondents viewed themselves as better able to handle predictable resilience and risk events. Stronger Same Weaker Maintain business operations in physical disaster Don’t know Prevent unauthorized access to proprietary data Maintain operations during a pandemic Adapt rapidly to crisis Align contingency plans with changing risks Because of its impact on the business as a whole, a crucial area for improvement is the ability to seize unexpected opportunities An effective business resilience plan will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management. Reliably retrieve archived data to meet legal requirements Seize unexpected opportunities Minimize losses from unexpected events Source: Q4. In your opinion, how does your organization compare with its closest competitors in the following areas? 14 © 2011 IBM Corporation Study results revealed an opportunity for companies to further hone their competitive edge by integrating business continuity and risk management. Stronger Same Weaker Don’t know IT infrastructure supports business growth Sees value of business continuity as part of risk mgmt Profitability Even though organizations have strategies for business resilience and risk management, they may not be integrating and leveraging those strategies for business advantage Market share Revenue growth “Companies with a robust ERM program have lower losses, fewer embarrassing events and a better reputation.” Yousef Valine, Chief Risk Officer, First Horizon National Corporation Source: Q9. How does your organization compare to its closest competitors in the following areas? 15 © 2011 IBM Corporation Agenda What is Resiliency? Resiliency: The CIO perspective Moving forward: Building a comprehensive business resilience strategy Regional Events Learnings 16 © 2011 IBM Corporation Organizations expect their business resilience and risk management spending will continue to increase on a par with previous increases. Next 3 years Up to now 14% Increase significantly 65% of organizations expect 14% 47% Increase 51% 33% 31% Stay the same Decrease Decrease significantly their business resilience and risk management spending to increase in the next three years 4% 4% 1% 1% “My selling pitch to them (CEO and the board) is that a robust risk management capability is a competitive advantage.” Yousef Valine, Chief Risk Officer, First Horizon National Corporation Source: Q3. How has your organization changed its degree of spending on initiatives to improve business resilience? 17 © 2011 IBM Corporation A projected increase in the role played by non-IT functions may be related to the increase in emphasis on strategy integration and training. Up to now Next 3 years CIO IT professionals Other C-level execs Legal Board members Employees “Detecting risk has to happen at the point where the behavior is occurring.” Dr. Barbara Reynolds, Senior Advisor, Risk Communication, Centers for Disease Control and Prevention (CDC) Partners Source: Q6a. Over the next three years, what is the expected level of involvement for the following people in your organization's risk management or business resilience strategy? (Very involved or involved.) Study comparison: 2010 IBM Global IT Risk Study 18 © 2011 IBM Corporation Identifying the roadblocks: Silos and budgets can impede the adoption of a holistic approach to business resilience Lack of understanding about emerging technologies — 8% Lack of understanding about best practices — 9% Lack of buy-in from employees — 4% Silos within the organization — 28% Study comparison: 2010 top challenges Lack of C-level vision and commitment — 14% Implementing necessary procedures Securing budget Obtaining full risk picture from depts Inability to predict ROI from improvements — 17% Budget limitations — 20% Source: Q10. What is the biggest single barrier to implementing a holistic approach to business resilience planning? 19 © 2011 IBM Corporation Leverage the findings of the IBM Global Business Resilience and Risk Study in your organization Recommendations “An effective business resilience plan will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management.” 2011 IBM Global Business Resilience and Risk Study report 20 An integrated approach to business resilience and risk management offers a significant business opportunity for organizations of all sizes Appointing a single individual with overall business resilience and risk management responsibility is essential to integration success Input should be sought from throughout the enterprise — including employees and partners Focus should be on the business impact and business opportunity. Recovery is a subset of the resiliency plan Cloud technologies have matured significantly and now have the potential to deliver significant business resilience benefits The newly integrated business resilience and risk management strategy can be levered to seize unexpected opportunities and deliver measurable business value © 2011 IBM Corporation A resilient framework helps identify areas of risks and vulnerabilities, and allows a company or organization to develop a enterprise resiliency roadmap. Risk mitigation strategies Business driven Data driven Event driven Organization Processes Applications and Data Technology Business resilience Strategy Facilities 21 © 2011 IBM Corporation Agenda What is Resiliency? Resiliency: The CIO perspective Moving forward: Building a comprehensive business resilience strategy Regional Events Learnings 23 © 2011 IBM Corporation Headline events often mobilize our clients to pause and reflect on their current IT resilience standing. . . 24 © 2011 IBM Corporation Lessons Learned from Regional Events Events create other events … domino effect – Japan: earthquake => tsunami => nuclear plant damage => power problems => supply chain problems …… – Hurricanes => Flooding => Mud/Landslides => Power Outages …… Human issues – Will people be available? How about their families? Financial assistance? Communications issues – Communicating with, supporting and mobilizing employees, customers and suppliers, the press and the public at large Community issues – Fulfilling responsibilities to host communities Infrastructure issues – Anticipating how roads, travel and power supplies might be affected – Vulnerability of sites Business issues – Keeping business processes running – Managing insurance claims Disaster plan currency – Keeping plans up to date and well tested – Availability of data and hardware To learn more about lessons learned from regional disasters, listen to the following webinar: http://www-935.ibm.com/services/us/bcrs/html/web-seminar_hurricane-lessons-learned.html?&me=W&re=webseminars 25 © 2011 IBM Corporation IBM delivers unsurpassed geographic scope, combined with expertise of local, regional, and global needs/regulations. Over 160 data centers globally 100 percent recovery for IBM clients who have declared a disaster (over 800) More than 1,875 professionals dedicated to business continuity and resiliency More than 9,000 disaster recovery clients More than 10,000 client rehearsals per year 26 More than 50 years experience helping clients with their backup and disaster recovery needs Over 800 client declarations supported since 1989 Scalable, end-to-end, cloud-based data backup and recovery solutions Five million square feet of floor space for disaster recovery, with 40,000 seats © 2011 IBM Corporation Business continuity and resiliency is about… Protecting your enterprise Mitigating business and support issues Increasing your competitive advantage Protecting brand reputation Enabling seamless, continuous business transactions Exploiting market opportunities 27 © 2011 IBM Corporation Questions? Jay Shah jshah@championsg.com © 2011 IBM Corporation