Business Continuity Risk: Mitigation and Contingency Planning An ounce of prevention…… ….and what to do when that's not enough

Discussion Leader: Moderator and Q&A:Andrew Gansler, Senior Manager Lawrence Baye, PrincipalManagement Consulting Services Management Consulting Servicesagansler@gt.com lbaye@gt.com

November 6, 2001

2

What is Business Continuity Risk?

Grant Thornton LLP defines business continuity risk as . . .

…the threat of any incident that may cause an extended disruption of business functions or impact the ongoing integrity of the firm.

3

What are the risks to business continuity?

• Traditional Concerns– Fire– Storm– Flood– Hurricane

• Less publicized but emerging trends– Intrusion (physical or logical)

– Control failures– Sabotage– Terrorist activity

– Earthquake– Power outage– Equipment failure

4

Some statistics…

• 2 out of 5 businesses that experience a major disaster will cease to exist within 2-5 years (Gartner, 2001)

• Some believe that as many as 80% of businesses suffering a major disaster will cease to exist as a direct or indirect result (BCC, 2001)

• The average bank robbery yields $2,500; average computer crime nets $500,000 (CSI/FBI 2001 Survey)

• Less than 50% of existing business continuity plans meet their firms recovery objectives (KPMG)

5

What's at stake for you?

• Assets "at risk"• Customer confidence• Fiduciary responsibility• Regulatory and other compliance• Insurance 'out' clauses• Trading partner relationships

6

Key considerations for Professional Services firms

• Fractionalization of firm– Reduced cohesion for collaboration– Controls breakdown

• Paper morass– drawings, transcripts, contracts, discovery materials, etc.– replacement issues

• Intellectual capital• Confidence level of employees• Availability of mission-critical information• Insurance exclusions

7

Key trends and challenges for real estate management companies

• Increased insurance premiums• Security costs

– Security/operation balance– Cost cutting environment/static budgets

• Loss of tenants • New service expectations

– Full backup power– Redundant/enhanced telecommunications

• Availability of investment capital • Tenant diversification • Prospective tenant's risk assessment

8

How to manage and mitigate business continuity risk

• Risk Mitigation– Emphasis on safeguarding your assets

• Physical• Logical (information)

• Contingency Planning– Quickly returning your business to a functional state after

an unavoidable and significant incident

9

Framework

Prevention Detection

Recovery

10

The information security problem

• Securing the server and its data• Securing information while in transit• Securing the user’s computer

11

Methods of intentional attack on information resources…

• Logical / Hacking– Passwords– Port/packet sniffing– Demon dialers– Spoofing– Home Users

• Virus threats– 89% of respondents reported a problem (IS Magazine) – Platform specific – Easy to engineer

12

The neglected areas

• Physical restriction• Data backup

– Frequency– Completeness– Testing

13

What can be done?

14

Three Ds of security policy

15

Tools, methodologies and best practices

• Control management– CPA WebTrust/Systrust– SAS 70

• Encryption and Authentication– Digital ID's - SSL– VeriSign® - PPTP

• Intrusion prevention, detection and monitoring– Configuration– Firewalls / Proxy servers– Detection/monitoring software – Intrusion testing

• TrueSecure• GrantGuard

16

Tools, methodologies and best practices (cont.)

• Strict backup procedures– Full backups– Client backups– Documentation – Off-site rotation– Periodic recovery tests

• Virus updates– Footprints– Push to users

17

Framework

Prevention Detection

Recovery

18

An unavoidable threat to business continuity has occurred…..What’s at stake?

• Customers move to "more reliable" competitors• Idle time of non-productive employees• Loss of customer service satisfaction• Cost of rebuilding lost data (errors/rework)• Additional staff needed to resolve problems• Fines and penalties imposed by regulatory agencies• Fines and penalties associated with existing contracts• Breakdown of internal controls

19

Emergency Procedures vs. Disaster Recovery vs. Business Continuity

• Emergency Procedures– Focus on tactical steps to be performed by operations staff on an event-by-

event basis– Heavy emphasis on minutes/hours following onset of an emergency– Facility schematics (HVAC, plumbing, etc), service providers

• Disaster Recovery – Focus on technology resumption (or, traditional Disaster Recovery)– Restoration of ‘mission-critical’ technology, communications infrastructure,

centralized applications– Contact lists, notification schedules, 're-start' procedures

• Business Continuity– Focus on restoring critical business processes and ‘normal’ operations

…inventory and prioritize– Technology is critical, but so are 'essential' business processes

……e.g., rent receipt processing

20

Some recent examples

• Global Investment Bank– On a Saturday in August, a steam pipe ruptured in NYC. Areas

affected: equity trading, equity sales, equity research, equity capital markets, private wealth management and legal departments; 1,100 staff

– Result: Initiated business continuity plan; relocated staff to six alternative locations. Resumed trading operations Monday morning

• Major Financial Publisher– September 11, Staff were displaced by tragic events. Publishing

capability was at risk.– Result: After the 1990 power blackouts in lower Manhattan,

company had developed an elaborate business continuity plan. They executed this plan, which included activation of a hot-site in NJ, which was ready for use by the time staff arrived there.

21

Some recent examples

• Key Processing / Clearing Bank– September 11, Bank executes its disaster recovery plan in response

to terrorist attack. Trade processing and other core functions are re-routed to backup systems. As a result of prioritization, continuity was restored for some systems and processes (e.g., trade processing, clearing, settlement), while areas deemed non-essential (e.g., ATM network) were not restored.

– Result: Many of the backup systems worked. But some did not (e.g., government bond processing). Bank believes they were successful in implementation of their plan. Some of their customers may disagree.

• Major Law Firm– September 11, relocated WTC staff to 7 other NYC law firms using

borrowed space– Result: Scattered people, fragmented operations,

collaboration/coordination issues

22

The Cost of Business Continuity

• Cost components– Consultants– Internal resources– Service Providers (recurring)– Time

• Who pays? – Company-wide project with an IT component

But consider the cost of doing nothing…

23

What you should be doing now

Review your plan…

Do you have a comprehensive plan?• 80% of NY-based companies are lacking, missing, or obsolete

If YES:• Review it

– Changes since last review: new systems, infrastructure changes– Are responsible individuals still with your firm?– Does it provide for restoration of core business functions? – Are your critical resources centralized?– Service contracts

• Get a 3rd party perspective – Will your plan work in today's environment?

• Test it • Maintain it

* Source: GT

24

What you should be doing now

Develop a plan…

Do you have a comprehensive plan?

If NO:• Get management buy-in – expensive, time consuming, no immediate ROI

• Form a team• Define your approach • Perform a business impact analysis • Cover the essentials • Develop the plan• Train your employees• Test the plan• Maintain and update the plan

25

What you should be doing now

Consider remote site operation…

Do you have an alternate location available for technology and people?

Hot SiteCold Site Mobile-Site or Hybrid• If YES:

– Review the terms of your agreement. Does the contracted service still meet your current needs?

• If NO: – Consider an outsourcing services provider (SunGard, IBM, etc.) as

one part of a comprehensive solution.• Considerations

– Exclusion zones -- Competitive bidding– Service guarantees -- Complex pricing structures– Duration -- Termination clauses– Test Time

26

What you should be doing now

Review your insurance coverage…

Do you have all the necessary insurance?

General commercial coverage (e.g., liability, property, etc.)

Business interruption insurance

OEM insurance /quick ship• If YES:

– Review your policies.• E&O, terrorism and other exclusions

• If NO:– Get some!

27

What you should be doing now

Review important processes…

Are your critical processes paper intensive?• Next to people, paper records are the most difficult component of any

business to replace– What are my vital records? What are the retention requirements?– What would happen if my vital paper records were destroyed?

• Consider document imaging and workflow automation– Re-think current processes – Automate paper-intensive processes– Provide an electronic record of important documents

• Confirm legal admissibility– ROI very high - usually pays for itself

28

What else can I do?

• Review your outsourced services– Does your service provider have a disaster recovery plan?– Are they viable over the long term? Many recent ASP, ISP, and

carrier failures– What controls are in place to prevent unauthorized access to your

data? Have these controls been tested by an independent third party?

• Form alliances– Is there a business partner, or even competitor that I would be

willing to team with?– Is there a company that has similar equipment to mine, whose

technology resources (e.g. data center) can be made available to me if necessary?

Questions and Answers