resilience: internal audit’s role in strengthening...
TRANSCRIPT
Resilience: Internal Audit’s role in Strengthening Business Continuity Capabilities
Mark P. Ruppert, Cedars-Sinai Health System Bruce B. Daly, Deloitte & Touche, LLP
AHIA 33rd Annual Conference - September, 2014
1 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Agenda
What is resilience? 3
What does a resilience program look like? 9
Internal Audit considerations 16
Common findings and trends 26
Questions 29
What is resilience?
3 Copyright © 2014 Deloitte Development LLC. All rights reserved.
What is resilience?
• The capacity to recover quickly from difficulties; toughness (Oxford English Dictionary)
• Capable of withstanding shock without permanent deformation or rupture (Merriam-Webster)
Resilience is the safety net designed to support an organization’s ability to bounce back from adversity (any event - natural disaster, cyber attack, terrorist attack, financial crisis, product recall, reputational event and more).
Enterprise Resilience describes the strategies and processes to plan for and respond to significant disruptions while minimizing downtime and restoring operations and supporting applications within acceptable timeframes.
An organization needs to work to place recovery capabilities are in place, i.e., you are not just secure and vigilant, but also resilient. Building Resilience is Your Final Play to protect the enterprise!
4 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Resilient to what? An incident / disruption timeline
5 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Enterprise resilience: from reactive, recovery-based practice to a proactive, risk-based capability
The Past
Disaster Recovery (DR)
Business Continuity (BC)
Planning
Business Continuity
Management (BCM)
Enterprise Resilience The Future
Reactive DR hit corporate agenda Lessons from
terrorist attacks – DR was not
enough
Global events drove awareness
for not only physical threats
Pressure to deliver 24x7x365 led to techniques to
identify threads and to mobilize
resources
Pro-active
Technology –centric Business-centric
Focused on recovery
Enthusiasm for DR started to wane since more pro-
active approaches were needed
Beginning of BC
BC become part of risk management
program
Focused on mitigation
Asset-based
Disruption handing has become a
corporate capability
Process-based
One-time project Continuous monitoring
Responsibility of IT*
Responsibility of board
Late 1980s Mid 1990s Early 2000s Late 2000s – 2010s
Early 1990s Late 1990s Mid 2000s * IT – Information Technology
6 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Why is it important?
Enterprise Resilience
Get “up and running” quickly after a disaster
Work with outside vendors during the
recovery period
Reduce confusion during a crisis
Provide a specific and appropriate response
to an emergency
Increase the opportunity for long
term recovery
Resume critical functions
Improve life safety
Reputation Impact and Regulatory Scrutiny
7 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Resilience requires these components to be in sync
Emergency Response
Crisis Management
Disaster Recovery
Business Continuity
Program Governance &
Operating Model
Bus
ines
s Im
pact
Foc
us Incident Im
pact Focus
Public / Investor
Relations
Systems
Life & Safety/
Community Partnerships
Brand
Legal / Regulatory
Facilities
Finance Human Resource
What does a resilience program look like?
9 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Know what you’re protecting – an asset approach
BETH3 TAP (Total Asset Protection)™ is a practical model for classifying, estimating the value of and protecting organizational assets with physical and logical security mechanisms as well as business and disaster recovery strategies. Each asset can be evaluated individually and in a combined manner, making practical protection and recovery possible. By utilizing an asset-based approach such as BETH3 throughout the assessment process, you are able to better evaluate your current capabilities breadth of coverage, level of detail in your risk and business impact analyses, granularity of strategies and plan.
10 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Example – an asset approach
Business Process Process Number
Division Building (Location)
Equipment Technology (Applications)
Human Resources
3rd Parties
MTPD (hours)
Process Payroll HR-180 ABC & Talent New York, NY Time Capture, Time Cards
Kronos, SAP, XZY 100 ADP, Time Equip
2
Develop IT Strategy IT-010 GIT Phoenix, AZ None None 200 None 48
Develop IT Products & Services IT-040 GIT Phoenix, AZ Custom Laptops Dev Pro, QA Check, Code Mgmt 123
550 None 16
Deploy IT Products & Services IT-050 GIT Phoenix, AZ Custom Laptops v2
Change Man, Code Control
350 IBM 24
Monitor/Manage Physical Assets PE-040 FAC Denver, CO Environ Control System, Security
Equip
Environ 101, Security Sys Pro
110 Tyco 8
Execute Plant Maintenance PE-090 FAC Denver, CO Maint. Equip PM of SAP 75 PP&E Special
40
Manage Collections O-150 FIN Nashville, TN None SAP – FI,CO 50 Collect Pro
8
11 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Have a clear approach - Deloitte’s resilience methodology
Our methodology is founded upon ISO22301, the leading global standard for business continuity and is aligned with related industry guidance/other standards including: those supporting PS-Prep (ASIS SPC.1-2009, BS25999,
NFPA 1600), ITIL, NIST, ISO27001 as well as U.S. Federal government requirements of FCD1 and 2.
Program Governance/Project Management
Analyze (Define and Protect)
Develop (Prepare)
Implement (Readiness)
Total Asset Protection (Risk MapTM/
Catastrophic Risk)
Impact Analysis
Training and Awareness
Exercising and Testing
Capabilities Assessment &
Process Definitions (Industry PrintTM)
Resource Acquisition and Implementation
Resiliency/Availability/Recovery Strategies
Validation
Continuous Improving and Quality Assurance
Activities/Procedures (Plan) Development
Crisis Management Emergency Response
Operational Continuity (BETH3TM)
Building (Facilities) Recovery
Equipment Recovery
Technology (Disaster) Recovery
Human Resource
(Workforce) Continuity
Third-Party (Supply Chain)
Resilience
12 Copyright © 2014 Deloitte Development LLC. All rights reserved.
A clear framework – such as Deloitte’s CARR framework - is a smart place to start. It can also serve as a measurement tool to capture progress, position within your industry, etc. An assessment or internal audit can cover any or all of the following components:
The maturity level of ABC Company’s BCM program was measured in following 11 categories
Resource Acquisition
Training and Awareness
Exercising and Testing
Continuous Improvement / Quality Assurance (QA)
Maturity Levels
Non-existent Initial / Ad-Hoc Repeatable / Intuitive
Managed / Measureable Optimized
Plan Development and Validation
Disaster Recovery
Crisis Management and Emergency Response
Program Governance
Total Asset Protection
Impact Analysis
Strategies
Process Mapping
Start with an honest capabilities assessment
13 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Capabilities assessment sample results - executive summary
BC Activity / Category Non-Existent Initial / Ad-Hoc Repeatable / Intuitive
Managed / Measureable Optimized
Program Governance / Process Mapping
Total Asset Protection
Impact Analysis
Strategies
Plan Development and Validation
Disaster Recovery
Crisis Management and Emergency Response
Resource Acquisition**
Training and Awareness**
Exercising and Testing
Continuous Improvement / QA
I
C
C
C
C
C
C
C
C
G
G
G C
C
C
I
I
I
I
I
I
I
I
I
G
G
G
G
G
G
G
C Current Capability I Industry
Average G Goal State
14 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Current State Observations Risk / Impact
• A BCM policy with defined objectives and mission statement does not exist, but one has been created as part of this effort
• ABC Company has identified various teams to support BCM efforts across the organization
• Though there are various documents that highlight the establishment of BCM teams and their roles and responsibilities, the roles and responsibilities are high level and not actionable to uninitiated or untrained members of the BCM team
• There is no evidence substantiating a process for ABC Company to set and review the goals or objectives of the BCM program in a periodic and consistent manner
• There is no formal policy to guide the centralized storage, distribution, maintenance and review of continuity plans
• A generic set of goals and objectives is defined to guide business continuity activities
• While goals and objectives exist, these are limited in scope and do not explicitly account for all aspects of a robust BCM program
• ABC Company has determined the extent of business interruption insurance coverage that is required to sustain its critical processes, and the insurance covers expenses incurred to continue operations at hot site or alternate sites as well as equipment replacement values
• The lack of BCM policy results in limited and uncoordinated implementation of an effective BCM program and program activities become ad-hoc over time which affects the quality and substance of BCM capabilities
• Inconsistent execution of BCM related activities hampers ABC Company’s overall preparedness to deal with business disruptions
• Formalized roles and responsibilities at the different BCM levels – planning, preparation, response, and recovery are critical in facilitating a coordinated and timely response during a disaster. Clarified roles and responsibilities will be more critical as the organization changes and expands
• Senior management oversight, guidance and strategic considerations for continuity management activities across the company are constrained by the lack of a clearly defined set of roles and responsibilities
• The lack of a formal policy to guide the central storage, distribution and access control of continuity planning and recovery documents results in potentially outdated plans as well as difficulty in obtaining the most recent versions for reference in times of crisis. It also limits the importance of these documents and potentially leads to unauthorized access of sensitive information
• Inadequate definition of business continuity metrics limits management awareness and understanding of enterprise continuity risks and challenges and therefore constrains timely decision-making toward the protection of enterprise assets and resources
• A limited set of objectives constrain the entrenchment of a mature business continuity program and will ultimately limit ABC Company’s ability to respond to and recover from unexpected disruptions or disasters
Optimized Non-Existent Initial/Ad-Hoc Managed/Measurable Repeatable/Intuitive 1 2 3 4 0
Rating: 1.08 C I G
Select program results – program governance/process mapping C Current
Capability I Industry Average G Goal
State
Internal Audit considerations
16 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Four key reasons for Internal Audit to push the Resilience challenge:
1. Internal Audit clearly has the clear responsibility to assess and call-out risks and associated exposure, which may be identified through to a direct risk assessment of the organizational emergency response and business continuity (resilience) effort and/or through specific internal audit observations requiring management action;
2. Internal Audit is positioned to have the board and senior management understand and respond/react these risks and exposure;
3. Internal Audit has the opportunity to help articulate how a Resilience program can be implemented.
4. Once implemented or as implemented, Internal Audit can assess progress and desired outcomes through ongoing audit efforts and/or assisting management in developing such monitoring efforts.
Internal Audit’s special role
17 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Are your continuity plans out of date?
Are you aligning your costs with your business growth?
Are emergency response procedures in place? Does your staff know how to respond to a disaster?
Do you adopt a piece-meal approach to testing?
Have you considered all your resource requirements?
Is your staff testing only under ideal conditions?
Is your business tolerant to impact?
Does your plan address processes that really matter?
How do you measure your return on the BCM investments?
How do you plan to sustain your BCM investments?
Are your vital data and applications protected from the harm that a
disaster could cause?
Do you have proper crisis communication capabilities?
How effective is
your program?
Some key questions
18 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Aspects to assess
Strategy People Process Technology
Includes
Some key considerations
• Governance & Project Sponsorship
• Strategic Approach
• Program Sponsors
• Enterprise Resiliency governance, policies, and procedures
• Definition of roles & responsibilities
• Program metrics
• Monitoring of changes to regulatory environment
• Definition of crisis level (tactical vs. strategic)
• Communication tools or protocols
• Board/Executive Buy-In/Support
• Crisis Response
• Compliance
19 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Aspects to assess
Strategy People Process Technology
Includes
Some key considerations
• Emergency Response
• Resiliency Roles Identification
• Resiliency team knowledge & expertise
• Unity of command
• Integration of cross-functional groups
• Resilience funding & executive sponsorship
• Frequency and depth of training sessions
• Resilience program awareness
• Training & Awareness
20 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Aspects to assess
Strategy People Process Technology
Includes
Some key considerations
• Risk Assessment
• Business Impact Analysis
• Business Continuity Plan
• Third Party Continuity
• Exercise & Testing
• Feedback Analysis
• Risk to Asset Types
• Integration of risk assessments into recovery procedures
• Recovery Threshold Values
• Awareness of critical third party vendors
• Scheduling/frequency of exercising and testing
• Use of “triggers” to update plans
• Frequency and depth of training sessions
• Formal exercise/testing feedback analysis loop.
21 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Aspects to assess
Strategy People Process Technology
Includes
Some key considerations
• Disaster Recovery Plans
• Telecommunication
• Infrastructure
• Data/ Vital Records
• Identification and classification of critical applications
• Disaster Recovery Plans for critical applications
• Cohesion between business requirements and application recoverability
• Inclusion of telecommunications in Disaster Recovery Plans
• Data retention policies
• To support cohesion, must have coordination between operations and information technology leadership and teams
22 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Reporting For each element being assessed, use a pre-defined ranking scale in a continuum graph and indicate the rating for the assessed area by a “C” for the current state and “G” for goal state. The example below is illustrative of the pre-defined ranking scale.
Complete lack of any recognizable processes or strategies.
There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are however, no standardized documented processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.
Processes have developed to the stage where similar procedures are followed by different people when developing BCM/DR documentation. There is no formal training or communication or testing of BCM/DR procedures. High degree of reliance on the knowledge of individuals.
Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Testing is performed with a "siloed" approach without including internal/external dependencies.
Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modeling with business continuity standards and practices. Cross functional coordination has led to better integration of BC/DR plans to improve resilience and recovery in the event of a business disruption.
0 1 2 3 4
Rating Definitions
Optimized
Managed & Measurable
Initial or Ad-Hoc Non-Existent Repeatable & Intuitive
23 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Reporting
Governance D
Regulatory/Industry Compliance
C
Crisis Management D
Business Impact Analysis D
Business Continuity Plans D
Crisis Management Plans A-
Third Party Continuity D
Exercising and Testing D
Disaster Recovery Plans D-
Telecommunications C
Data/Vital Records D
Facilities/Infrastructure C
Emergency Response A-
Training and Awareness D
OVERALL GRADE: D+
Alternatively, consider grading each BCM component and share with senior management and other members of the organization. An illustrative example:
24 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Trends Resilience and the related disciplines of Crisis Management, Business Continuity and Disaster Recovery have not made the major strides that some might have thought. While we have witnessed innovations in mobile computing, data analytics, geographic information systems and learning...most resilience programs have been stuck in older methods and models. Some of the trends we have seen include:
Mobility – companies are finally moving away from paper-based plans that are not actionable. They are realizing their lack of operational benefit. They are trying to leverage mobile devices, more dynamic decision-making and more internet-based decision making.
Executive Dashboards – the most senior executives need transparency into the resilience program (e.g., measurement, metrics). They need to understand the Key Risk Indicators and Key Performance Indicators for their resilience program.
Social Media – organizations are more aware that social media can be used to monitor crisis events and it can be a very valuable tool in communicating with stakeholders.
Data Analytics – risk analysis and business impact analysis data can all be very valuable immediately proceeding and during a disruption. This data can be managed and be used for more analytics around strategies and actual response to events.
Common findings and trends
26 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Some top Internal Audit findings
1. Lack of centralized structure – program elements work in SILO 2. Lack of support from Senior Management 3. Recovery and Restoration are after thought 4. Disconnect between Senior Leadership’s perception of IT
recoverability and actual recovery capabilities reported by technical staff
5. Mismatch between application’s criticality to the business and IT recovery investments
6. Piece-meal approach to testing 7. Lack of integration between emergency response, business continuity
plans and IT disaster recovery plans
27 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Some top Internal Audit findings
8. Lack of up-to-date documentation on recovery procedures – dependence on a limited number of key personnel for recovery
9. Underestimation of effort & time required to recover from tape backups
10. Key vendors and service providers not included in recovery planning or testing
11. Lack of business participation in recovery testing and verification activities
12. Business-supported systems and key desktop systems lack recovery plans
13. Lack of a formal budget across the organization to support resiliency 14. Lack of a feedback loop ensuring that lessons learned from exercises
and testing are incorporated into update resiliency policy, procedure and process.
28 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Executive visibility is limited on the quality of their capabilities
No or failed CM/BC/DR Testing
Poor or slow response capabilities to a real event
Significant or consistent IT failures of any size
IT outsourcing with insufficient contractual commitments around DR
Complex supply chains with single points of failure
Compliance concerns
Enterprise Risk Management integration or lack thereof
Resilience does not come in a bottle - maybe it does!)
Some things to look for in your organization
Questions?
30 Copyright © 2014 Deloitte Development LLC. All rights reserved.
Contact Us
Deloitte & Touche LLP 350 South Grand Los Angeles, CA 90071
Bruce Daly ERS Principal Office: +1-213-553-1745 Mobile: +1 213-219-8213 [email protected]
Cedars-Sinai Health System 6500 Wilshire Boulevard Suite 600 Los Angeles, CA 90048
Mark P. Ruppert CPA, CIA, CISA, CHFP, CHC Director, Internal Audit Office : +1 323-866-6900 [email protected]
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.