Driving Risk Management Governance into the BCM Life Cycle Doug ...
October 29-30, 2012 • Hotel Pennsylvania
BCI Track – Session 2 Driving Risk Management Governance into the BCM Life Cycle Doug Weldon, FBCI Vice President of Product & Infrastructure Risk Management, Thomson Reuters and President, BCI-USA Chapter
October 29-30, 2012 • Hotel Pennsylvania
A follow-on presentation to the Spring 2012 CI Conference Session: Integrating BCM and Development Life Cycles
October 29-30, 2012 • Hotel Pennsylvania
Presentation Outline • What is a life cycle process? • Is the BCM management system a life cycle process? • Where are we today? • Where should we be going? • How does this potentially change BCM as a life cycle process? • What are the benefits? Potential risks? • Essential ingredient – Risk Management Governance!
October 29-30, 2012 • Hotel Pennsylvania
What is a Development Life Cycle • The structured methodology for managing the full life cycle of a product, business process, or IT system from initial concept through end-of-life. • Example: The Systems development life cycle (SDLC), or Software development life cycle in systems engineering, information systems and software engineering, is a process of creating or altering information systems, and the models and methodologies that people use to develop these systems.* * Wikipedia
October 29-30, 2012 • Hotel Pennsylvania
Example of SDLC Life Cycle*
* Wikipedia
October 29-30, 2012 • Hotel Pennsylvania
General Benefits of Life Cycle Processes* • • • • • • •
Decreased Costs Improved On-time Delivery Improved Productivity Improved Quality Improved Customer Satisfaction Improved Return on Investment Improvement/Maturity Measures * www.sei.cmu.edu
October 29-30, 2012 • Hotel Pennsylvania
BCM Program Life Cycle Process*
* ISO 22313 Draft for Comment
October 29-30, 2012 • Hotel Pennsylvania
Essentially BS25999-2 Revisited
October 29-30, 2012 • Hotel Pennsylvania
Applicable Life Cycles • Requirements standards (e.g., BS25999-2 or ISO22301) provide specifications for audits for certifying a company’s BCMS • ISO 9001 drives the continuous improvement of the BCMS, as with all ISO life cycles (PDCA) • Practices (e.g., BS2599-1 or ISO22313) standards describe BCM best practices that describe the process that drives the specific BCM life cycle.
October 29-30, 2012 • Hotel Pennsylvania
Lifecycle for BC/DR Capabilities
October 29-30, 2012 • Hotel Pennsylvania
Where Are We Today? • Nominal Case: – – – –
Established BCM program Process for establishing capabilities Many capabilities established and maintained Build BCM solutions after product/process/system is implemented
• Better Case: – Compliant or even certified program – Capabilities built and maintained to best practices – But are they the highest quality/lowest cost?
October 29-30, 2012 • Hotel Pennsylvania
Where should we be going? • Best Case: – Demonstrate compliance with best practices – Anchor on identified stakeholder requirements (nonfunctional requirements as important as functional requirements) – Design optimal (cost vs. risk) solutions based on requirements – Regularly validate compliance with (changing) requirements, perform needed corrective actions, report results, and audit findings – Build BCM solutions as products, processes, or systems are built!
October 29-30, 2012 • Hotel Pennsylvania
How do we do that? • The best possible identification of requirements is essential • A focused discipline on compliance with the BCM life cycle process drives and continuously improves quality • And this strongly suggests that the BCM and product/process/system life cycle processes should be integrated!
October 29-30, 2012 • Hotel Pennsylvania
Focus on Identifying and Validating Requirements •
Types of Requirements:
→ Functional Requirements of the Product/Proposition – What the product does for the customer; i.e., types of transactions the customers execute and what kinds of content result. → Non-functional Requirements of the Product/Proposition – How the product delivers the functionality in terms of performance, security, recoverability, availability, reliability, and other risk related factors.
Customers
Products
Processes, Systems, Infrastructures
Suppliers
C(1)
P(1)
C(2)
P(2)
I(1)
S(1)
P(3)
P(4)
I(2)
S(2)
C(3)
P(5)
I(3)
S(3)
S(4)
P(6)
I(4)
S(5)
October 29-30, 2012 • Hotel Pennsylvania
Product/Process/System Life Cycle PROCESS OF CONTINUOUS IMPROVEMENT
Act
Business Proposal
Business Case
Define/Design
Develop
Implement
Operate & Maintain
MEET ROI
CONCEPTION
APPROVAL
Plan
CONFIRMATION
READY TO DEPLOY
Do
READY FOR PRODUCTION
Check
Retire/Reengineer
SUNSET
READY FOR SUNSET
October 29-30, 2012 • Hotel Pennsylvania
What Does it Mean to Integrate Life Cycles? • Analyze each of the life cycle process steps to establish the feasibility of integration • Establish correspondence between life cycle process steps • Rationalize the steps to ensure that the steps produce analogous, value adding deliverables • Interleave the activities of the corresponding process steps into a uniform activity set.
October 29-30, 2012 • Hotel Pennsylvania
BCM Planning and SDLC System Development Life Cycle (SDLC) 1.Initiation 2.Development/Acquisition 3.Implementation 4.Operation and Maintenance (Test) 5.Disposal Initiation/Definition
Design/Development
Phase 2: Development/ Acquisition
Phase 1: Initiation
Phase 3: Implementation
Phase 5: Disposal Phase 4: Operation/ Maintenance
Implementation
Test
SDLC
Disposal
Operations
October 29-30, 2012 • Hotel Pennsylvania
Product/Process/System Life Cycle PROCESS OF CONTINUOUS IMPROVEMENT
Business Proposal
Business Case
Define/Design
Develop
Implement
Operate & Maintain
Retire/Reengineer
MEET ROI
CONCEPTION
Understand the Organization
APPROVAL
CONFIRMATION
BCM Strategy
READY TO DEPLOY
BCM Response
READY FOR PRODUCTION
SUNSET
READY FOR SUNSET
Test and Maintain
October 29-30, 2012 • Hotel Pennsylvania
BCM Life Cycle Change Implications • BCM life cycle integration into the product/process/system development life cycle of the enterprise potentially drives changes into the BCM process itself: – What is a risk assessment in this integrated view? – What is a BIA in this integrated view? – How is BCM strategy changed by integrated architectures? – Many other potential implications.
October 29-30, 2012 • Hotel Pennsylvania
Benefits and Risks • Benefits – Better BCM Program integration into corporate strategies and culture – Attention to BCM at the right times in the life cycle – Greater assurance of optimal cost vs risk solutions – Getting requirements right the first time – Designs more truly fit for purpose
• Risks – Corporation’s development life cycle is undisciplined – BCM Program is under-resourced to deliver – Lack of governance to ensure lifecycle inclusion.
October 29-30, 2012 • Hotel Pennsylvania
The Essential Ingredient: Governance • Governance: In the case of a business or of a nonprofit organization, governance relates to consistent management, cohesive policies, guidance, processes and decision-rights for a given area of responsibility.* • Operational Risk Management Governance: Relates to consistent management, cohesive policies, guidance, processes and decision-rights for identifying, analyzing, reporting on, and mitigating operational risks. *Wikipedia
October 29-30, 2012 • Hotel Pennsylvania
Why is Governance Essential? • Governance is required to describe and prescribe this integrated process • To get in the door before requirements or design are established for a new proposition requires a mandatory policy and process for building new products, processes, and systems • Otherwise, the resulting BCM capability will likely be less than the most cost-effective and timely!
October 29-30, 2012 • Hotel Pennsylvania
Establishing Effective Governance • Requires an effective and comprehensive BCM program per the principles of ISO 22301 • Requires the BCM program to be in active alignment with the strategic objectives of the enterprise • Requires that the BCM program embraces and drives the BCM life cycle as an integral part of the product/process life cycle • Requires credibility with key stakeholders such as IT systems developers and product/process managers.
October 29-30, 2012 • Hotel Pennsylvania
BCM as part of Operational Risk Management Operational Risk Management Governance BCM Program
Other Operational Risk Disciplines* ISM Program
ITIL Program
*The Path to Operational Resiliency Architecture & Reliability/Availability
Incident/Crisis Mgt. & Insurance
Performance Mgt.
Contract Risk Mgt.
Process Maturity
Operational Resiliency
Operations Mgt.
Service Continuity
Business Continuity
Information & Physical Security
Quality Assurance
October 29-30, 2012 • Hotel Pennsylvania
QUESTIONS?
BCI Track – Session 2 Driving Risk Management Governance into the BCM Life Cycle Doug Weldon, FBCI Vice President of Product & Infrastructure Risk Management, Thomson Reuters and President, BCI-USA Chapter
October 29-30, 2012 • Hotel Pennsylvania
A follow-on presentation to the Spring 2012 CI Conference Session: Integrating BCM and Development Life Cycles
October 29-30, 2012 • Hotel Pennsylvania
Presentation Outline • What is a life cycle process? • Is the BCM management system a life cycle process? • Where are we today? • Where should we be going? • How does this potentially change BCM as a life cycle process? • What are the benefits? Potential risks? • Essential ingredient – Risk Management Governance!
October 29-30, 2012 • Hotel Pennsylvania
What is a Development Life Cycle • The structured methodology for managing the full life cycle of a product, business process, or IT system from initial concept through end-of-life. • Example: The Systems development life cycle (SDLC), or Software development life cycle in systems engineering, information systems and software engineering, is a process of creating or altering information systems, and the models and methodologies that people use to develop these systems.* * Wikipedia
October 29-30, 2012 • Hotel Pennsylvania
Example of SDLC Life Cycle*
* Wikipedia
October 29-30, 2012 • Hotel Pennsylvania
General Benefits of Life Cycle Processes* • • • • • • •
Decreased Costs Improved On-time Delivery Improved Productivity Improved Quality Improved Customer Satisfaction Improved Return on Investment Improvement/Maturity Measures * www.sei.cmu.edu
October 29-30, 2012 • Hotel Pennsylvania
BCM Program Life Cycle Process*
* ISO 22313 Draft for Comment
October 29-30, 2012 • Hotel Pennsylvania
Essentially BS25999-2 Revisited
October 29-30, 2012 • Hotel Pennsylvania
Applicable Life Cycles • Requirements standards (e.g., BS25999-2 or ISO22301) provide specifications for audits for certifying a company’s BCMS • ISO 9001 drives the continuous improvement of the BCMS, as with all ISO life cycles (PDCA) • Practices (e.g., BS2599-1 or ISO22313) standards describe BCM best practices that describe the process that drives the specific BCM life cycle.
October 29-30, 2012 • Hotel Pennsylvania
Lifecycle for BC/DR Capabilities
October 29-30, 2012 • Hotel Pennsylvania
Where Are We Today? • Nominal Case: – – – –
Established BCM program Process for establishing capabilities Many capabilities established and maintained Build BCM solutions after product/process/system is implemented
• Better Case: – Compliant or even certified program – Capabilities built and maintained to best practices – But are they the highest quality/lowest cost?
October 29-30, 2012 • Hotel Pennsylvania
Where should we be going? • Best Case: – Demonstrate compliance with best practices – Anchor on identified stakeholder requirements (nonfunctional requirements as important as functional requirements) – Design optimal (cost vs. risk) solutions based on requirements – Regularly validate compliance with (changing) requirements, perform needed corrective actions, report results, and audit findings – Build BCM solutions as products, processes, or systems are built!
October 29-30, 2012 • Hotel Pennsylvania
How do we do that? • The best possible identification of requirements is essential • A focused discipline on compliance with the BCM life cycle process drives and continuously improves quality • And this strongly suggests that the BCM and product/process/system life cycle processes should be integrated!
October 29-30, 2012 • Hotel Pennsylvania
Focus on Identifying and Validating Requirements •
Types of Requirements:
→ Functional Requirements of the Product/Proposition – What the product does for the customer; i.e., types of transactions the customers execute and what kinds of content result. → Non-functional Requirements of the Product/Proposition – How the product delivers the functionality in terms of performance, security, recoverability, availability, reliability, and other risk related factors.
Customers
Products
Processes, Systems, Infrastructures
Suppliers
C(1)
P(1)
C(2)
P(2)
I(1)
S(1)
P(3)
P(4)
I(2)
S(2)
C(3)
P(5)
I(3)
S(3)
S(4)
P(6)
I(4)
S(5)
October 29-30, 2012 • Hotel Pennsylvania
Product/Process/System Life Cycle PROCESS OF CONTINUOUS IMPROVEMENT
Act
Business Proposal
Business Case
Define/Design
Develop
Implement
Operate & Maintain
MEET ROI
CONCEPTION
APPROVAL
Plan
CONFIRMATION
READY TO DEPLOY
Do
READY FOR PRODUCTION
Check
Retire/Reengineer
SUNSET
READY FOR SUNSET
October 29-30, 2012 • Hotel Pennsylvania
What Does it Mean to Integrate Life Cycles? • Analyze each of the life cycle process steps to establish the feasibility of integration • Establish correspondence between life cycle process steps • Rationalize the steps to ensure that the steps produce analogous, value adding deliverables • Interleave the activities of the corresponding process steps into a uniform activity set.
October 29-30, 2012 • Hotel Pennsylvania
BCM Planning and SDLC System Development Life Cycle (SDLC) 1.Initiation 2.Development/Acquisition 3.Implementation 4.Operation and Maintenance (Test) 5.Disposal Initiation/Definition
Design/Development
Phase 2: Development/ Acquisition
Phase 1: Initiation
Phase 3: Implementation
Phase 5: Disposal Phase 4: Operation/ Maintenance
Implementation
Test
SDLC
Disposal
Operations
October 29-30, 2012 • Hotel Pennsylvania
Product/Process/System Life Cycle PROCESS OF CONTINUOUS IMPROVEMENT
Business Proposal
Business Case
Define/Design
Develop
Implement
Operate & Maintain
Retire/Reengineer
MEET ROI
CONCEPTION
Understand the Organization
APPROVAL
CONFIRMATION
BCM Strategy
READY TO DEPLOY
BCM Response
READY FOR PRODUCTION
SUNSET
READY FOR SUNSET
Test and Maintain
October 29-30, 2012 • Hotel Pennsylvania
BCM Life Cycle Change Implications • BCM life cycle integration into the product/process/system development life cycle of the enterprise potentially drives changes into the BCM process itself: – What is a risk assessment in this integrated view? – What is a BIA in this integrated view? – How is BCM strategy changed by integrated architectures? – Many other potential implications.
October 29-30, 2012 • Hotel Pennsylvania
Benefits and Risks • Benefits – Better BCM Program integration into corporate strategies and culture – Attention to BCM at the right times in the life cycle – Greater assurance of optimal cost vs risk solutions – Getting requirements right the first time – Designs more truly fit for purpose
• Risks – Corporation’s development life cycle is undisciplined – BCM Program is under-resourced to deliver – Lack of governance to ensure lifecycle inclusion.
October 29-30, 2012 • Hotel Pennsylvania
The Essential Ingredient: Governance • Governance: In the case of a business or of a nonprofit organization, governance relates to consistent management, cohesive policies, guidance, processes and decision-rights for a given area of responsibility.* • Operational Risk Management Governance: Relates to consistent management, cohesive policies, guidance, processes and decision-rights for identifying, analyzing, reporting on, and mitigating operational risks. *Wikipedia
October 29-30, 2012 • Hotel Pennsylvania
Why is Governance Essential? • Governance is required to describe and prescribe this integrated process • To get in the door before requirements or design are established for a new proposition requires a mandatory policy and process for building new products, processes, and systems • Otherwise, the resulting BCM capability will likely be less than the most cost-effective and timely!
October 29-30, 2012 • Hotel Pennsylvania
Establishing Effective Governance • Requires an effective and comprehensive BCM program per the principles of ISO 22301 • Requires the BCM program to be in active alignment with the strategic objectives of the enterprise • Requires that the BCM program embraces and drives the BCM life cycle as an integral part of the product/process life cycle • Requires credibility with key stakeholders such as IT systems developers and product/process managers.
October 29-30, 2012 • Hotel Pennsylvania
BCM as part of Operational Risk Management Operational Risk Management Governance BCM Program
Other Operational Risk Disciplines* ISM Program
ITIL Program
*The Path to Operational Resiliency Architecture & Reliability/Availability
Incident/Crisis Mgt. & Insurance
Performance Mgt.
Contract Risk Mgt.
Process Maturity
Operational Resiliency
Operations Mgt.
Service Continuity
Business Continuity
Information & Physical Security
Quality Assurance
October 29-30, 2012 • Hotel Pennsylvania
QUESTIONS?
