Gartner Business Continuity Management Summit 2009 Crisis Management Keynote Workshop Would a...

Trip Report

Transforming Sustainable Recovery into World Class Business Resiliency

Gartner Business ContinuityManagement Summit 2009April 27-29, 2009Chicago, IL

The 2009 Gartner Business Continuity Management Summit was held April 29 – May 1 in Chicago at the Sheraton Chicago. Co-located with the Gartner Risk Management & Compliance Summit, the event drew hundreds of IT professionals and decision makers involved in the management of their enterprises’ business continuity management and IT disaster recovery programs. This report provides highlights from the three day event.

WhaT’S The STaTe of youR BCM pRoGRaM?

That question was top-of-mind at the 2009 Summit as attendees tuned-in to new insights and fresh analysis on how to take their business continuity management program (BCM) from the tactical to strategic. At a time when the stakes are at an all-time high for revenue, reputation, productivity and competitiveness, participants drilled down to the how’s and why’s of building BCM into a business operations management discipline. Forget about thinking like a recovery planner. The big-picture focus: how to grow the maturity of your BCM program by moving from BCM to business resiliency.

Keynote SessionsMaking Business Continuity Management a C-Suite Issue

Emily Landis Walker, a member of the U.S. Department of Homeland Security Private Sector Advisory Council who has held prominent positions with the 9-11 Commission, Citigroup and the United Nations, offered compelling insights into how to raise awareness of BCM issues to the highest levels in the enterprise. Her advice: Use real-world examples and simulations to show C-level decision-makers the ways a disaster can impact the enterprise’s profitability and reputation. For a CEO, tying preparedness to the business is critical to ensure results.

Managing Internet Reputation Is a Business ImperativeIn the Internet age, we haven’t yet found effective ways to address compelling issues of identity, anonymity, trust and reputation. Can technology alone solve the problems it has spawned? Not really, says Gartner analyst Toby Bell, but he presented a set of near- and long-term steps enterprises can take to proactively manage Internet reputation, from setting Google alerts and monitoring Wikipedia to integrating Internet reputation into an enterprisewide crisis management process.

Employment and Workplace Trends in a Post-recession EconomyThe BCM professionals in Chicago, like everybody else today, were wondering about the future — what the workplace, and their profession, will look like in the years to come, and how they can prepare for all the changes that are coming. John Challenger, CEO of the global outplacement and executive coaching consultancy Challenger, Gray & Christmas, addressed those concerns. He advised the attendees to follow four steps to job retention: Understand your company’s business issues and the trends affecting it, its industry and the world; speak management’s language; be agile

enough to be both a generalist and a specialist; and spend 10% of your time enhancing and protecting your career: Look at alternative opportunities, and nurture peer relationships.

food foR ThouGhT: Spend 10% of your time enhancing and protecting your career. Look at alternative opportunities. And remember, in today’s economy your identity is more linked to your peers than your employer. Nurture the relationships.

Special Crisis Management Keynote WorkshopWould a real-life workplace disaster find you clear-thinking and ready to respond or rattled by misinformation and chaos? Will your BCM plans enable you to contact clients and external contracts rapidly? What about your “work from home” recovery strategy? Attendees discovered the answers to those questions and more in a fast-paced Crisis Management Workshop, where they tested their mettle as employees of the fictitious Harvest Logistics Company, a wholesale distributor of food products. The 2.5-hour workshop proved to be a highly interactive learning experience which garnered an enthusiastic response. Some

participants saw it as “an eye-opening training tool that was well-planned and facilitated.” While others described it as a “humbling exercise” that would definitely motivate them to revisit their BCM plans just as soon as they returned to the office. Go to page 5 to read a full summary of this keynote.

Enterprise Risk Management (ERM) and Credit RatingsSteve Dreyer, managing director of Standard & Poor’s (S&P), discussed how the rating service is adding an ERM component to its credit ratings, to enhance its analytical processes, to better differentiate between firms and to gain better insights into management. Key questions they will ask management are: How are key risks identified, updated, and dealt with? How is risk tolerance defined and communicated? Who “owns” risk in the organization and how is success measured? What is the board’s involvement in risk management? And how will your company respond to risk issue [X]?

Customizable Post Event Worksheet

Completing this post event trip report will provide you with a valuable source to reference and share with colleagues back at the office.Go to gartner.com/us/bizcon to access the trip report worksheet.

MoRe Than 95% of conference attendees said they would recommend the Summit to their colleagues.

Business ContinuityManagementSummit 2009

Gartner Business Continuity Management Summit 2009April 27-29, 2009 | Chicago, IL

2 gartner.com/us/bizcon

#1 new technologies and services offer real-world IT dRM potential (John Morency): IT DRM remains a labor-intensive, process-driven management discipline, but newer technologies — including server virtualization, virtual-machine recovery and data dependency mapping — can increase management automation and reduce associated operating costs.

#2 Business resiliency must become part of the enterprise culture (Roberta Witty). Business resiliency requires a continuous commitment to designing information access, knowledge systems, communication mechanisms, workplaces and infrastructure so that the enterprise can rapidly return to optimum performance quickly after shock or upset.

#3 Creating and maintaining an effective BCM plan requires a strategic approach (Les Stevens and Roberta Witty): Start with a strategic approach that builds BCM plan management into the business cycle. Develop a structured framework of plans. Keep plans relevant to the purpose. Build simple but detailed plans to be used by 2nd tier workforce. finally, establish a central repository and administration process to keep plans updated.

#4 Risk assessment for BCM is a “must have” (John Morency and Les Stevens): Risk assessment is a critical step in the BCM process, providing a means of identifying and prioritizing disruptive events and their impact on business operations.

#5 It’s possible to reduce the time, cost and complexity of IT dRM testing (John Morency): Begin by avoiding four mistakes: assuming that critical application and data dependencies are covered; thinking that current testing frequency is good enough; not fixing inconsistent change control and concluding that simply completing a recovery exercise equals success.

#6 Many enterprises can’t afford a “one size fits all” IT dRM strategy (donna Scott and dave Russell): That’s why they’re opting for a layered strategy for tiered recovery, to contain costs and match the quality of service to the criticality of the IT service.

#7 you can’t ignore virtualization (Bill Malik): If you’re not actively using it, learn about it, experiment with it and eventually pilot it. If you’re using virtualization for other purposes, experiment with the functions that help IT DRM the most: testing and the actual execution of the recovery plan.

#8 data center architecture shouldn’t just “happen” (donna Scott): Your data center strategy and architecture should define data center facilities and locations to host IT services, strategy for placement of IT services and a resiliency strategy — and it should identify gaps between strategy and current architecture and have migration plans in place to ensure improvement.

#9 you need to know when to consider cloud infrastructure (Lydia Leong): BCM/IT DRM infrastructure “in the cloud” is appropriate when you need IT disaster recovery capabilities for applications that already outside your data center, for example, if you need low-cost recovery for browser-based applications or development environments — and are willing to accept some residual risk.

#10 Simplicity is a primary goal when building resilient networks (Lydia Leong): Redundant network connections, paths and providers are the key foundations for resilient networks, don’t forget the importance of voice service failover as well as data, increasing service choices are making wireless technology the ultimate backup.

#11 The first step in supply chain risk management recovery is understanding of risks (dan Miklovic): It’s possible to leverage IT for supply chain risk management and recovery, but enterprises must define where the risks in the design, supply and service chains are before they can mitigate them.

#12 Currently there is no “one size fits all” data backup and recovery technology (dave Russell): Data recovery and protection are ongoing activities. Currently there are at least five different technologies that address some, but not all, backup and recovery requirements, address those backup and recovery requirements that will be the most pressing over the near term (i.e. next 6-12 months).

#13 Teleworking has become a foundation of BCM (John Girard): Teleworking is now an essential element of any BCM program, but managers must help employees’ develop work practices that make them more efficient and more resourceful in an “off-site, out-of-sight” environment.

#14 a step-by-step approach will deliver the most effective crisis communications program (Jeff Vining): A crisis communications program requires a step-by-step approach, beginning with a succession plan for all stakeholders, then the deployment and expansion of emergency notification automation including the use of social networking technologies, and eventually crisis management portals for internal stakeholders and external communities.

#15 CMdB and dependency mapping can ease disaster recovery and data center migrations (Ronni Colville): If you think you need a CMDB for IT DRM, determine whether you have the necessary resources, processes and data readiness in place before implementation. Ensure that you have IT service definitions, so that in an outage, you can identify the causes and dependencies for other components that could be affected. IT service dependency mapping tools can help jump start the process.

#16 Through a holistic, strategic approach, enterprise architecture can make a valuable contribution to BCM planning (Greta James): Use EA to provide information about relationships between assets that are used during the risk assessment and business impact analysis processes.

Key Analyst Findings from the BCM SummitHere are some of the key insights attendees took away after three-days of intensive interaction among Gartner analysts, industry experts and their peers:



Excellent information. Well presented. Great overall experience.

Provided a very good mix between technical and business components of BCM.

Very good at the highest levels of business continuity, but also very good at the in-depth technical requirements of effective disaster recovery.

Overall, I felt I gained a lot of info that is relevant to my role and that I’ll be able to use immediately.

This was very educational and helpful as I work to upgrade our enterprise DR/BCM. There was a lot of info to absorb.

Fantastic! A wealth of vital information.

Focused learning experience. Thank you for a fun, educational three days. Appreciate all your staff making everyone feel important…from the time you register to the time you left. Great job to everyone!

This was an excellent introduction on BCM/DR/Availability. Interfaces with peers, Gartner associates and vendors provided an excellent skill-building experience.

Eye-opening from a BCM perspective.

The event presented a wide range of topics relevant and useful for our company DR/BC plans.

Very professional, documented and effective presentations in an exceptionally relaxed atmosphere and nice environment facilitating rich networking opportunities.

It was a lot of information from a research perspective. It also showed what other companies are doing.

Mock exercise provided me with ideas for conducting an exercise in my organization.

Specific technical deep dive on disaster recovery and synchronous apps, failover and recoverability technologies — all discussed in very good detail.

Helped me to identify what is missing in our company and formulate a plan of action.

Company Size

Small (1-749)

Medium (750-1,999)

Large (2,000-4,999)

X-Large (5,000-19,999)

XX-Large (20,000+)

14%

8%

18%

45%

Job Title

24%

C-level/President

37%

9%3% VP

Director

Manager/Supervisor

Gov’t

10%

Other

Consultant

Architect/Engineer

Specialist 10%

3%

5%Analyst

5%

3%

5%

Company Size

Small (1-749)

Medium (750-1,999)

Large (2,000-4,999)

X-Large (5,000-19,999)

XX-Large (20,000+)

14%

8%

18%

45%

Job Title

24%

C-level/President

37%

9%3% VP

Director

Manager/Supervisor

Gov’t

10%

Other

Consultant

Architect/Engineer

Specialist 10%

3%

5%Analyst

5%

3%

5%

Attendee Reaction to the 2009 Summit Snapshot of Attendees

audIenCe VoTeSTop 10 Best-Rated Sessions

1. Telework: A Remote Access Foundation for BCM (C7)

2. Best Practices for Continuous Application Availability (B3)

3. Easing Disaster Recovery and Data Center Migration through CMDB and Dependency Mapping (B6)

4. Best Practices for Best Business Impact Assessment Results (A6)

5. Case Study: Visa – Implementing a Global Crisis Management Program (C2)

6. DR Economics 101 (A1)

7. Enhancing Your Disaster Recovery Architecture with Virtualization (B7)

8. Developing a Strategy for Data Availability and Protection (B4)

9. The Resilient Organization (C1)

10. Making Business Continuity Management a C-Suite Issue (K1)



Open Research MeetingDuring this session, three hot BCM/IT DRM topics – Storage Management, BCM Organizational Certification and Supply Chain Risk Management and Resiliency – were debated by three teams of two Gartner analysts each and then the audience voted on how they thought the issue would be resolved.

>> TopIC #1 SToRaGe ManaGeMenT By 2012, 20% of SMBs will utilize cloud-based

storage services as an alternative to the cost and complexity of software-based backup and restore

By 2012, data location independence, access resiliency and low service cost will make cloud-based storage services the preferred alternative to in-house management of data backup and restore

audIenCe VoTe: For both points, there was approximately an 80-20 split against the strategic planning assumptions, but had the timeframe been pushed out to 2014, the decisions would be reversed.

>> TopIC #2 BCM oRGanIzaTIonaL CeRTIfICaTIon

By 2012, fewer than 10% of organizations will have received external certification of their business continuity management and IT disaster recovery programs. Those that do are either regulated to do so, or will be mandated to do so by their supply chain partners.

audIenCe VoTe: BCM certification such as the PS-Prep program (US Public Law 110-53, Title IX, Section 524 on the private sector voluntary certification program for emergency preparedness and business resilience) was voted down for wide-spread corporate adoption – many attendees thought it was overkill for their enterprise.

>> TopIC #3 SuppLy ChaIn RISk ManaGeMenT and ReSILIenCy

You can not really ever achieve supply chain resiliency – the debate resulting in the conclusion that resiliency is analog, some industries by nature can be more resilient than others.

audIenCe VoTe: You are better off picking suppliers that enable resiliency & have a track record than by setting resiliency objectives then working with your suppliers to achieve that resiliency.

ConfeRenCe hIGhLIGhTSThree tracks and more than 30 sessions delivered actionable content on how to:

Ensure your BCM program addresses the right risks for the organization

Make the right technology choices for business recovery

Determine which vendor is the best choice for specific situations

Retool your BCM program to reflect and support a global organization

Know which steps, methodologies, and tests to use to recover critical business operations correctly, consistently and with the cooperation of key parts of the organization

WhaT eLSe dId aTTendeeS fInd? Sound direction for uncertain times.

7 analyst-user Roundtables: The topics were diverse and the participation limited – to just 15 attendees. Facilitated by Gartner analysts, these highly informative sessions offered the chance to learn directly from other participants’ experience. What was up for discussion? Back up recovery and modernization Telework Interdependency Mapping Recovering the virtualized data center Improving BCM and IT DRM Maturity Crisis Communication/Emergency Notification Best Practices for Continuous Applications Availability

Who’S GeTTInG IT RIGhT and Why 4 End-user panel discussions and case studies revealed how your peers from AQR Capital, Visa, Euroclear Bank and Booz Allen Hamilton are handling the challenges of Disaster Recovery, Global Crisis Management, BCM preparedness for a financial crisis, and QA integration for BCM and DR testing.

fIRST-hand knoWLedGeAttendees met with Gartner analysts during private One-on-One sessions to get individualized attention and advice on the BCM and DR topic of their choice. These sessions are a great way to get answers, review your checklist or validate your plans.



Special Crisis Management Keynote WorkshopInTRoduCTIonJust how well do you perform under pressure? Are your crisis-management skills up to par? Would a real-life workplace disaster find you clear-thinking or rattled by misinformation and chaos? Would your BCM plans have sufficient protocols for contacting clients and external contacts ASAP. What about your “work from home” recovery strategy? Would your re-located staff succeed or fail in their first few attempts to reestablish communications at their new call centers.

Attendees discovered the answers to those questions and more in fast-paced Crisis Management Workshop, where they tested their mettle as employees of the fictitious Harvest Logistics Company, a wholesale distributor of food products. The 2.5-hour workshop proved to be a highly interactive learning experience which garnered an enthusiastic response. Some participants saw it as “an eye-opening training tool that was well-planned and facilitated.” While others described it as a “humbling exercise” that would definitely motivate them to revisit their BCM plans just as soon as they returned to the office.

SuMMaRy of The SeSSIonOn April 28, 2009 approximately 120 people who participated were divided into six groups, representing mock-ups of key decision-makers in the fictional Harvest Logistics Company, a business created by Eagle Rock Alliance specifically for this event. Materials provided included a detailed description of the company and its business units, including numbers of personnel at each location, acceptable downtimes for each business unit, and the recoverability strategy in place for the enterprise.

Facilitator Tom Martin explained how the session was to proceed over the next few hours. Because the simulated disaster centered about a power outage, Tom conducted the first of several educational interludes, informing the audience about how power is distributed in the United States. He then laid the groundwork for the power outage scenario, and a discussion ensued at the tables to determine how Harvest Logistics would react. With each escalation of the scenario, from a local event to a regional event to increased durations of the outage, decision-makers were challenged to inform the Emergency Response Team Leader (ERTL) of their specific business unit requirements. The facilitator would then select an ERTL or two to report to the assemblage, and a panel of Gartner Analysts would then add to the discussion with relevant comments, suggestions, and probing questions.

At the end of the session, Eagle Rock’s Marv Wainschel summarized some of the lessons learned and elicited comments from the floor regarding how participants felt about what they might carry back to their workplaces to help improve their own organization’s recoverability. During this wrap-up discussion, participants voiced their perceptions about the session and what they learned.

WhaT They LeaRnedThe learning experience was less about the specific circumstances surrounding the outage scenario and more about decision-making and teamwork. The ERTL reports of company decisions were succinct and incisive, testimony to the focused conversations that occurred within each simulated company.

During the session, ERT Leaders and Scribes took notes about their decisions, and these notes were submitted at the end of the session. For example, in an early escalation, six bay doors could not be closed at one of the warehouses, and ERT Leaders responded by increasing guard duties and using other employees to assist in those duties.

One group summoned local police to assist. In other situations, frozen foods were protected by keeping them on refrigerated trucks and taking action to implement early shipments to customers. Food needed to be obtained from other vendors. Administrative personnel needed additional workspace when their Apollo Recovery Center announced the need to limit their hot workspace availability. Calls needed to be rerouted when one of the call centers lost generator power. Trucks were rerouted to other warehouses. Emphasis was placed on keeping employees informed, and employee safety was a primary

ConTInued on nexT paGe >>



concern. A statement was sent to local radio stations, and other means of communication to customers were employed, including an automated notification system. Special emergency help was sent to deal with an injured employee. A backup generator and additional fuel was ordered. Suppliers were notified to stop or delay shipments to the disabled warehouse and reroute incoming deliveries where possible to the surviving warehouse.

Participants learned that even though there was a general recovery strategy, decision-making was especially challenging without a written plan. Overall, decisions were thoughtful and on point, and, most importantly, people who were by and large complete strangers to one another at the start of the session were able to operate in efficient, highly productive teams.

WhaT They SaId aBouT ITAt the conclusion of the session, participants evaluated the session. They had come prepared to be part of an atmosphere of self-expression and thoughtful decision-making, to bring back something to their individual places of work and enhance their professional skills. Did that happen? Here’s what they said:

Most participants indicated the session went very well and was highly organized but would have preferred more intra-company interaction by not being separated by two tables per company.

People expressed being impressed with Gartner’s knowledge of the issues and the panel’s ability to suggest tactics that could impact people and the environment. Participants thought the scenarios were realistic and appreciated the educational interludes, including Gartner commentaries and information provided by Brian Tishuk, founder of ChicagoFirst and the Regional Partnership Council that supports interrelationships amongst private and public firms as they relate to crisis situations.

Several people commented that this exercise would help them “see what areas in their own companies need to be involved in the planning and know what their roles are.”

One participant indicated that he had lived through “something like this” and experienced the chaos and attempts to follow plans and public authorities. He thought this exercise helped to illustrate some of those realities.

Another participant wrote, “This experiential exercise has been/will be the highlight of the conference. Consider doing two: one at beginning of the first day so attendees experience requirements of Business Continuity and all associated activities; second near the end of the last day so attendees can practice what they’ve learned.”

ConCLuSIonThis crisis management workshop promised a fast-paced experience that would absorb the complete attention of participants from start to finish. We believe that was accomplished – so much so that most participants would have liked a longer session. Session planners learned from the session probably as much as any participant, both from the interactions at the session and the comments on the evaluation forms. We appreciate greatly the participation and suggestions and look forward to future sessions.

Case Studieseuroclear Bank: how euroclear Bank applies BC Methodologies to Manage a financial Crisis: A discussion of how this leading financial institution exercised its BCM process to validate its recovery and resiliency to financial crisis scenarios, and how this contributed to Euroclear coming out unscratched when the economic crisis materialized resulting in the failure of many financial institutions.

Visa: Implementing a Global Crisis Management program: A road map to integrating Business Continuity, IT Service Continuity and Crisis Management plans, processes and protocols for effective enterprise resiliency.

aQR Capital: Getting the Most from your disaster Recovery Technologies: A look at how an investment firm designed and implemented a comprehensive IT DRM and high-availability strategy to protect it key business processes.

eRudyne LLC: Building public/private partnerships: A way to build, test and measure a sustainable and flexible public/private program and attract appropriate stakeholders.

Booz allen hamilton: Improving the Quality of BCM and disaster Recovery Testing through Quality assurance Integration. An examination of how a consolidated organization and tools strategy for testing was successful in reducing the time, cost, and complexity for IT DR exercising.

panel: Legal Issues in BCM (protiviti, pillsbury and Vedder-price): An interactive session on the importance of legal analysis in BCM planning, how to identify potential liability from failure to engage in adequate crisis and recovery planning, how to properly protect vital records and how to integrate legal considerations into the operational aspects of crisis and BCM planning.



Thanks to our 2009 Summit SponsorsThroughout the Summit, the show floor was buzzing with activity as attendees met with solution providers to discuss the latest services and product offerings. Many thanks to our sponsors for helping make Gartner Business Continuity Management Summit 2009 an outstanding educational event for everyone involved.

SILVeR

MedIa paRTneRS & aSSoCIaTIonS

21st Century Software

archer Technologies

CMS products

dell Messageone

dell Messageone

fusion Risk Management, Inc.

Global alertLink

paradigm Solution International

Recovery point

Recovery planner

Rentsys Recovery Services, Inc.

Twenty first Century Communications

pReMIeR

pLaTInuM

Gartner Events On Demand.

GartnerEventsOnDemand.com

Play. Stop. Rewind.

SpeCIaL noTe:

All conference attendees have access to presentation slides which can be uploaded using their specially assigned documentation key on Agenda Builder (See conference website: www.gartner.com/us/bizcon). Those who have purchased the “Events on Demand” multimedia offering can review presentation slides and audio for the conference sessions. For more information regarding “Events on Demand,” email [email protected]

Security & Risk ManagementSummit 2010

It’s exciting. It’s new. It may even change how you approach the business.Once in a while, a shift in perspective changes how you view your world. At Gartner, we’re about to announce just such a change. It involves the new Gartner Security & Risk Management Summit and we’re about to unveil all of the new and exciting features and sessions!

Stay tuned…What we unveil may mean you’ll get a different perspective in how you approach and think about your business. And it will certainly lead to exciting progress in how you view security, risk management and business continuity.

The announcement is right around the corner and when the time is right, you’ll be the first to know.

June 21 – 23, 2010Washington, DC (National Harbor, MD area)

Watch your inbox for ‘the big announcement’.

Visit gartner.com/us/itsecurity for updates.

Security & Risk ManagementSummit 2010

Gaylord National Resort & Convention CenterSame convenient location.

Same excellent service.

Gartner Business Continuity Management Summit 2009 Crisis Management Keynote Workshop Would a...

Documents

Transcript of Gartner Business Continuity Management Summit 2009 Crisis Management Keynote Workshop Would a...