resilience: internal audit’s role in strengthening...

Resilience: Internal Audit’s role in Strengthening Business Continuity Capabilities

Mark P. Ruppert, Cedars-Sinai Health System Bruce B. Daly, Deloitte & Touche, LLP

AHIA 33rd Annual Conference - September, 2014

1 Copyright © 2014 Deloitte Development LLC. All rights reserved.

Agenda

What is resilience? 3

What does a resilience program look like? 9

Internal Audit considerations 16

Common findings and trends 26

Questions 29

What is resilience?


What is resilience?

• The capacity to recover quickly from difficulties; toughness (Oxford English Dictionary)

• Capable of withstanding shock without permanent deformation or rupture (Merriam-Webster)

Resilience is the safety net designed to support an organization’s ability to bounce back from adversity (any event - natural disaster, cyber attack, terrorist attack, financial crisis, product recall, reputational event and more).

Enterprise Resilience describes the strategies and processes to plan for and respond to significant disruptions while minimizing downtime and restoring operations and supporting applications within acceptable timeframes.

An organization needs to work to place recovery capabilities are in place, i.e., you are not just secure and vigilant, but also resilient. Building Resilience is Your Final Play to protect the enterprise!


Resilient to what? An incident / disruption timeline


Enterprise resilience: from reactive, recovery-based practice to a proactive, risk-based capability

The Past

Disaster Recovery (DR)

Business Continuity (BC)

Planning

Business Continuity

Management (BCM)

Enterprise Resilience The Future

Reactive DR hit corporate agenda Lessons from

terrorist attacks – DR was not

enough

Global events drove awareness

for not only physical threats

Pressure to deliver 24x7x365 led to techniques to

identify threads and to mobilize

resources

Pro-active

Technology –centric Business-centric

Focused on recovery

Enthusiasm for DR started to wane since more pro-

active approaches were needed

Beginning of BC

BC become part of risk management

program

Focused on mitigation

Asset-based

Disruption handing has become a

corporate capability

Process-based

One-time project Continuous monitoring

Responsibility of IT*

Responsibility of board

Late 1980s Mid 1990s Early 2000s Late 2000s – 2010s

Early 1990s Late 1990s Mid 2000s * IT – Information Technology


Why is it important?

Enterprise Resilience

Get “up and running” quickly after a disaster

Work with outside vendors during the

recovery period

Reduce confusion during a crisis

Provide a specific and appropriate response

to an emergency

Increase the opportunity for long

term recovery

Resume critical functions

Improve life safety

Reputation Impact and Regulatory Scrutiny


Resilience requires these components to be in sync

Emergency Response

Crisis Management

Disaster Recovery

Business Continuity

Program Governance &

Operating Model

Bus

ines

s Im

pact

Foc

us Incident Im

pact Focus

Public / Investor

Relations

Systems

Life & Safety/

Community Partnerships

Brand

Legal / Regulatory

Facilities

Finance Human Resource

What does a resilience program look like?


Know what you’re protecting – an asset approach

BETH3 TAP (Total Asset Protection)™ is a practical model for classifying, estimating the value of and protecting organizational assets with physical and logical security mechanisms as well as business and disaster recovery strategies. Each asset can be evaluated individually and in a combined manner, making practical protection and recovery possible. By utilizing an asset-based approach such as BETH3 throughout the assessment process, you are able to better evaluate your current capabilities breadth of coverage, level of detail in your risk and business impact analyses, granularity of strategies and plan.


Example – an asset approach

Business Process Process Number

Division Building (Location)

Equipment Technology (Applications)

Human Resources

3rd Parties

MTPD (hours)

Process Payroll HR-180 ABC & Talent New York, NY Time Capture, Time Cards

Kronos, SAP, XZY 100 ADP, Time Equip

2

Develop IT Strategy IT-010 GIT Phoenix, AZ None None 200 None 48

Develop IT Products & Services IT-040 GIT Phoenix, AZ Custom Laptops Dev Pro, QA Check, Code Mgmt 123

550 None 16

Deploy IT Products & Services IT-050 GIT Phoenix, AZ Custom Laptops v2

Change Man, Code Control

350 IBM 24

Monitor/Manage Physical Assets PE-040 FAC Denver, CO Environ Control System, Security

Equip

Environ 101, Security Sys Pro

110 Tyco 8

Execute Plant Maintenance PE-090 FAC Denver, CO Maint. Equip PM of SAP 75 PP&E Special

40

Manage Collections O-150 FIN Nashville, TN None SAP – FI,CO 50 Collect Pro

8


Have a clear approach - Deloitte’s resilience methodology

Our methodology is founded upon ISO22301, the leading global standard for business continuity and is aligned with related industry guidance/other standards including: those supporting PS-Prep (ASIS SPC.1-2009, BS25999,

NFPA 1600), ITIL, NIST, ISO27001 as well as U.S. Federal government requirements of FCD1 and 2.

Program Governance/Project Management

Analyze (Define and Protect)

Develop (Prepare)

Implement (Readiness)

Total Asset Protection (Risk MapTM/

Catastrophic Risk)

Impact Analysis

Training and Awareness

Exercising and Testing

Capabilities Assessment &

Process Definitions (Industry PrintTM)

Resource Acquisition and Implementation

Resiliency/Availability/Recovery Strategies

Validation

Continuous Improving and Quality Assurance

Activities/Procedures (Plan) Development

Crisis Management Emergency Response

Operational Continuity (BETH3TM)

Building (Facilities) Recovery

Equipment Recovery

Technology (Disaster) Recovery

Human Resource

(Workforce) Continuity

Third-Party (Supply Chain)

Resilience


A clear framework – such as Deloitte’s CARR framework - is a smart place to start. It can also serve as a measurement tool to capture progress, position within your industry, etc. An assessment or internal audit can cover any or all of the following components:

The maturity level of ABC Company’s BCM program was measured in following 11 categories

Resource Acquisition

Training and Awareness


Continuous Improvement / Quality Assurance (QA)

Maturity Levels

Non-existent Initial / Ad-Hoc Repeatable / Intuitive

Managed / Measureable Optimized

Plan Development and Validation

Disaster Recovery

Crisis Management and Emergency Response

Program Governance

Total Asset Protection

Impact Analysis

Strategies

Process Mapping

Start with an honest capabilities assessment


Capabilities assessment sample results - executive summary

BC Activity / Category Non-Existent Initial / Ad-Hoc Repeatable / Intuitive

Managed / Measureable Optimized

Program Governance / Process Mapping

Total Asset Protection

Impact Analysis

Strategies

Plan Development and Validation

Disaster Recovery

Crisis Management and Emergency Response

Resource Acquisition**

Training and Awareness**


Continuous Improvement / QA

I

C

C

C

C

C

C

C

C

G

G

G C

C

C

I

I

I

I

I

I

I

I

I

G

G

G

G

G

G

G

C Current Capability I Industry

Average G Goal State


Current State Observations Risk / Impact

• A BCM policy with defined objectives and mission statement does not exist, but one has been created as part of this effort

• ABC Company has identified various teams to support BCM efforts across the organization

• Though there are various documents that highlight the establishment of BCM teams and their roles and responsibilities, the roles and responsibilities are high level and not actionable to uninitiated or untrained members of the BCM team

• There is no evidence substantiating a process for ABC Company to set and review the goals or objectives of the BCM program in a periodic and consistent manner

• There is no formal policy to guide the centralized storage, distribution, maintenance and review of continuity plans

• A generic set of goals and objectives is defined to guide business continuity activities

• While goals and objectives exist, these are limited in scope and do not explicitly account for all aspects of a robust BCM program

• ABC Company has determined the extent of business interruption insurance coverage that is required to sustain its critical processes, and the insurance covers expenses incurred to continue operations at hot site or alternate sites as well as equipment replacement values

• The lack of BCM policy results in limited and uncoordinated implementation of an effective BCM program and program activities become ad-hoc over time which affects the quality and substance of BCM capabilities

• Inconsistent execution of BCM related activities hampers ABC Company’s overall preparedness to deal with business disruptions

• Formalized roles and responsibilities at the different BCM levels – planning, preparation, response, and recovery are critical in facilitating a coordinated and timely response during a disaster. Clarified roles and responsibilities will be more critical as the organization changes and expands

• Senior management oversight, guidance and strategic considerations for continuity management activities across the company are constrained by the lack of a clearly defined set of roles and responsibilities

• The lack of a formal policy to guide the central storage, distribution and access control of continuity planning and recovery documents results in potentially outdated plans as well as difficulty in obtaining the most recent versions for reference in times of crisis. It also limits the importance of these documents and potentially leads to unauthorized access of sensitive information

• Inadequate definition of business continuity metrics limits management awareness and understanding of enterprise continuity risks and challenges and therefore constrains timely decision-making toward the protection of enterprise assets and resources

• A limited set of objectives constrain the entrenchment of a mature business continuity program and will ultimately limit ABC Company’s ability to respond to and recover from unexpected disruptions or disasters

Optimized Non-Existent Initial/Ad-Hoc Managed/Measurable Repeatable/Intuitive 1 2 3 4 0

Rating: 1.08 C I G

Select program results – program governance/process mapping C Current

Capability I Industry Average G Goal

State

Internal Audit considerations


Four key reasons for Internal Audit to push the Resilience challenge:

1. Internal Audit clearly has the clear responsibility to assess and call-out risks and associated exposure, which may be identified through to a direct risk assessment of the organizational emergency response and business continuity (resilience) effort and/or through specific internal audit observations requiring management action;

2. Internal Audit is positioned to have the board and senior management understand and respond/react these risks and exposure;

3. Internal Audit has the opportunity to help articulate how a Resilience program can be implemented.

4. Once implemented or as implemented, Internal Audit can assess progress and desired outcomes through ongoing audit efforts and/or assisting management in developing such monitoring efforts.

Internal Audit’s special role


Are your continuity plans out of date?

Are you aligning your costs with your business growth?

Are emergency response procedures in place? Does your staff know how to respond to a disaster?

Do you adopt a piece-meal approach to testing?

Have you considered all your resource requirements?

Is your staff testing only under ideal conditions?

Is your business tolerant to impact?

Does your plan address processes that really matter?

How do you measure your return on the BCM investments?

How do you plan to sustain your BCM investments?

Are your vital data and applications protected from the harm that a

disaster could cause?

Do you have proper crisis communication capabilities?

How effective is

your program?

Some key questions


Aspects to assess

Strategy People Process Technology

Includes

Some key considerations

• Governance & Project Sponsorship

• Strategic Approach

• Program Sponsors

• Enterprise Resiliency governance, policies, and procedures

• Definition of roles & responsibilities

• Program metrics

• Monitoring of changes to regulatory environment

• Definition of crisis level (tactical vs. strategic)

• Communication tools or protocols

• Board/Executive Buy-In/Support

• Crisis Response

• Compliance


Aspects to assess


Includes


• Emergency Response

• Resiliency Roles Identification

• Resiliency team knowledge & expertise

• Unity of command

• Integration of cross-functional groups

• Resilience funding & executive sponsorship

• Frequency and depth of training sessions

• Resilience program awareness

• Training & Awareness


Aspects to assess


Includes


• Risk Assessment

• Business Impact Analysis

• Business Continuity Plan

• Third Party Continuity

• Exercise & Testing

• Feedback Analysis

• Risk to Asset Types

• Integration of risk assessments into recovery procedures

• Recovery Threshold Values

• Awareness of critical third party vendors

• Scheduling/frequency of exercising and testing

• Use of “triggers” to update plans

• Frequency and depth of training sessions

• Formal exercise/testing feedback analysis loop.


Aspects to assess


Includes


• Disaster Recovery Plans

• Telecommunication

• Infrastructure

• Data/ Vital Records

• Identification and classification of critical applications

• Disaster Recovery Plans for critical applications

• Cohesion between business requirements and application recoverability

• Inclusion of telecommunications in Disaster Recovery Plans

• Data retention policies

• To support cohesion, must have coordination between operations and information technology leadership and teams


Reporting For each element being assessed, use a pre-defined ranking scale in a continuum graph and indicate the rating for the assessed area by a “C” for the current state and “G” for goal state. The example below is illustrative of the pre-defined ranking scale.

Complete lack of any recognizable processes or strategies.

There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are however, no standardized documented processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.

Processes have developed to the stage where similar procedures are followed by different people when developing BCM/DR documentation. There is no formal training or communication or testing of BCM/DR procedures. High degree of reliance on the knowledge of individuals.

Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Testing is performed with a "siloed" approach without including internal/external dependencies.

Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modeling with business continuity standards and practices. Cross functional coordination has led to better integration of BC/DR plans to improve resilience and recovery in the event of a business disruption.

0 1 2 3 4

Rating Definitions

Optimized

Managed & Measurable

Initial or Ad-Hoc Non-Existent Repeatable & Intuitive


Reporting

Governance D

Regulatory/Industry Compliance

C

Crisis Management D

Business Impact Analysis D

Business Continuity Plans D

Crisis Management Plans A-

Third Party Continuity D

Exercising and Testing D

Disaster Recovery Plans D-

Telecommunications C

Data/Vital Records D

Facilities/Infrastructure C

Emergency Response A-

Training and Awareness D

OVERALL GRADE: D+

Alternatively, consider grading each BCM component and share with senior management and other members of the organization. An illustrative example:


Trends Resilience and the related disciplines of Crisis Management, Business Continuity and Disaster Recovery have not made the major strides that some might have thought. While we have witnessed innovations in mobile computing, data analytics, geographic information systems and learning...most resilience programs have been stuck in older methods and models. Some of the trends we have seen include:

Mobility – companies are finally moving away from paper-based plans that are not actionable. They are realizing their lack of operational benefit. They are trying to leverage mobile devices, more dynamic decision-making and more internet-based decision making.

Executive Dashboards – the most senior executives need transparency into the resilience program (e.g., measurement, metrics). They need to understand the Key Risk Indicators and Key Performance Indicators for their resilience program.

Social Media – organizations are more aware that social media can be used to monitor crisis events and it can be a very valuable tool in communicating with stakeholders.

Data Analytics – risk analysis and business impact analysis data can all be very valuable immediately proceeding and during a disruption. This data can be managed and be used for more analytics around strategies and actual response to events.

Common findings and trends


Some top Internal Audit findings

1. Lack of centralized structure – program elements work in SILO 2. Lack of support from Senior Management 3. Recovery and Restoration are after thought 4. Disconnect between Senior Leadership’s perception of IT

recoverability and actual recovery capabilities reported by technical staff

5. Mismatch between application’s criticality to the business and IT recovery investments

6. Piece-meal approach to testing 7. Lack of integration between emergency response, business continuity

plans and IT disaster recovery plans


Some top Internal Audit findings

8. Lack of up-to-date documentation on recovery procedures – dependence on a limited number of key personnel for recovery

9. Underestimation of effort & time required to recover from tape backups

10. Key vendors and service providers not included in recovery planning or testing

11. Lack of business participation in recovery testing and verification activities

12. Business-supported systems and key desktop systems lack recovery plans

13. Lack of a formal budget across the organization to support resiliency 14. Lack of a feedback loop ensuring that lessons learned from exercises

and testing are incorporated into update resiliency policy, procedure and process.


Executive visibility is limited on the quality of their capabilities

No or failed CM/BC/DR Testing

Poor or slow response capabilities to a real event

Significant or consistent IT failures of any size

IT outsourcing with insufficient contractual commitments around DR

Complex supply chains with single points of failure

Compliance concerns

Enterprise Risk Management integration or lack thereof

Resilience does not come in a bottle - maybe it does!)

Some things to look for in your organization

Questions?

Presenter

Presentation Notes

ALL (5-10 min)


Contact Us

Deloitte & Touche LLP 350 South Grand Los Angeles, CA 90071

Bruce Daly ERS Principal Office: +1-213-553-1745 Mobile: +1 213-219-8213 [email protected]

Cedars-Sinai Health System 6500 Wilshire Boulevard Suite 600 Los Angeles, CA 90048

Mark P. Ruppert CPA, CIA, CISA, CHFP, CHC Director, Internal Audit Office : +1 323-866-6900 [email protected]

mailto:[email protected]

mailto:[email protected]

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

resilience: internal audit’s role in strengthening...

Documents