3/27/2015
1
Driving Enterprise ResiliencyThrough Partnership(Key Resiliency Behaviors)
Presented by:
Geno Pandolfi, U.S. Bancorp
Peter Laz, Forsythe Solutions Group
April 20-22, 2015Talking Stick Resort ● Scottsdale, AZ
Next Generation Resilience
• Identify strategic importance & value of enterprise resiliency
• Discuss how to establish business resiliency via partnership across the enterprise
Key Resiliency Behaviors &Building Resiliency Partnerships
2
Audience Poll
3
Resilient• Latin Derivative from present participle of resilīre
meaning to spring back, rebound
Generic Definitions:
• Resilience - the ability to work with adversity in such a way that one comes through it unharmed or even better for the experience
• Resilient - the power or ability to return to the original form, position, etc., after being bent, compressed, or stretched; elasticity
• Resiliency - the state or quality of being resilient and tending to recover from or adjust easily to misfortune or change
Definitions
13th Annual Continuity Insights Management Conference: Next Generation Resilience
4
3/27/2015
2
Strategic Focus on Survival That...
• Considers a holistic state of readiness
• Focuses on ability to bend or resist impact
• View is broader than a planned response to an incident
Importance & Value ofEnterprise Resiliency
5
It's about OPERATIONAL RESILIENCY
Enterprise Resiliency & the supporting program structure across the Industry varies greatly…
Enterprise Resiliency Program Leadership An Industry View
6
Characteristics of a successful, well established program are:
• Executive Level Sponsorship – Tone at the Top
• Well established functional relationship across the Enterprise (Business, Governance, IT, Operations, etc.)
• Integrates and/or facilitates all aspects of Enterprise Readiness
• Established ongoing Program Lifecycle incorporating
o Consistent Program Policy and Standards
o Embedded Business Strategy and Technology Planning
o Continuous Exercise Execution and Validation
o Aggregated Risk and Compliance Reporting
o Quality Assurance and Control Testing
o Frequent Awareness & Communication
Areas to Examine
7
Enterprise Resiliency Approach:
• US Bank Profile
• Program Overview
• Resiliency Partner Profile
• Core Partner Concepts to Success
Public Profile:
13th Annual Continuity Insights Management Conference: Next Generation Resilience
8
NYSE: USB
HQ: Minneapolis, MN
BANK PROFILE:
EMPLOYEES: 65,000+
SIZE: 5th Largest Bank in the USA | $403 Billion in Assets
• Provides comprehensive banking services, brokerage, investment, mortgage, trust and payment services products to consumers, businesses and institutions
• Fortune Most Reputable Companies – Super Regional Banking – US Bancorp #1
MAJOR BUSINESS/SECTORS:
• Operates 3,176 Branch Banking Offices in over 25 States with 5,026 ATM’s
• One of the Largest Wealth Management and Trust Groups in the United States with Global Banking Offices in Europe
• Corporate and Wholesale Banking Offices throughout the United States
• Global Payment Services: ATM’S, Debit/Credit Card and Merchant
• Acquisition in US, Canada, Eastern/Western Europe, and Latin America
HIGHLY REGULATED INDUSTRY:
• Office of Comptroller of the Currency (OCC), Federal Reserve, FDIC, SEC and Consumer Financial Protection Board (CFPB)
3/27/2015
3
9
US Bancorp
ENTERPRISE
PROGRAM OVERVIEWRESILIENCY
US Bancorp: Enterprise Resiliency
10
At US Bancorp our executives and business lines have been oriented to understand that Resiliency is:
• What our customers and stakeholders expect in a 7 by 24 operational, technology, and business environments across the Enterprise
• Our environments need to be in a readiness state that maintains optimum availability to our customers and stakeholders
• Planning and business constructs provide the ability and flexibility to recover from incidents based upon redundant technology driven by businessobjective risk requirements
KEY MISSION PRINCIPLES• Ensure readiness of the entire U.S. organization significant
events, impacts, or declared business disruption - Regardless of event Origin
• Provide direction, consulting, and support to business areas -Best Practices
• Program oversight to readiness and resiliency risk management guidance, monitoring, and executive reporting –360 Degree Program Visibility
• Business preparedness and awareness program -Requirements, Exercises, and Comprehensive Training
VISION
“All of Ready!”
A Readiness Service Organization Overview
12
Readiness Services“C" Level
Enterprise Organization
Readiness Planning and Strategy
Resiliency Operations
Readiness Assurance &Risk Mgmt
Technical Capacity &
Resiliency Mgmt
Critical Services Testing
Functional Business Line Resiliency Program
Participants
Functional Technology Resiliency Program
Participants
Functional Development Resiliency Program
Participants
3/27/2015
4
A Readiness Service Organization Overview
13
Readiness Services“C" Level
Enterprise Organization
Readiness Planning and Strategy
Resiliency Operations
Readiness Assurance &Risk Mgmt
Technical Capacity &
Resiliency Mgmt
Critical Services Testing
Responsible for Enterprise-wide business contingency and technology recovery planning, policies, direction, and strategy.
A Readiness Service Organization Overview
14
Readiness Services“C" Level
Enterprise Organization
Readiness Planning and Strategy
Resiliency Operations
Readiness Assurance &Risk Mgmt
Technical Capacity &
Resiliency Mgmt
Critical Services Testing
Responsible for command and control, and oversight for exercises and operational control for business line and
technology recovery components.
A Readiness Service Organization Overview
15
Readiness Services“C" Level
Enterprise Organization
Readiness Planning and Strategy
Resiliency Operations
Readiness Assurance &Risk Mgmt
Technical Capacity &
Resiliency Mgmt
Critical Services Testing
Responsible for establishing, monitoring and reporting on all Key Performance and Key Risk Indicators for Resiliency,
Third Party Recovery , and Business Continuity Program Activity.
A Readiness Service Organization Overview
16
Readiness Services“C" Level
Enterprise Organization
Readiness Planning and Strategy
Resiliency Operations
Readiness Assurance &Risk Mgmt
Technical Capacity &
Resiliency Mgmt
Critical Services Testing
Responsible to provide monitoring and validation of Resiliency infrastructure compatibility with production/DR
infrastructures, and forecasting future business demand for Production/DR environments, and Technology Management.
3/27/2015
5
A Readiness Service Organization Overview
17
Readiness Services“C" Level
Enterprise Organization
Readiness Planning and Strategy
Resiliency Operations
Readiness Assurance &Risk Mgmt
Technical Capacity &
Resiliency Mgmt
Critical Services Testing
Responsible to provide monitoring and validation of DR and Resiliency End to End Testing is completed for
Our Critically Defined Services.
18
Resiliency
PARTNERPROFILE
Resiliency Partner Profile
13th Annual Continuity Insights Management Conference: Next Generation Resilience
19
Readiness Services
Development Business Groups
Infrastructure Services Group
Service Management
Groups
Independent Risk Management
Business & Operational Units
Crisis & Security Control Teams
Resiliency Partner Profile
13th Annual Continuity Insights Management Conference: Next Generation Resilience
20
Independent Risk Management
Business & Operational Units
Crisis & Security Control Teams
Crisis and Security Control Teams Provides and implements resources and other stakeholder mediums to affect incident response and ensure appropriate recovery resources
Relationship: Planning, Reporting, Support and Exercise preparation, Pre-incident support, Operational Support and Technology Command & Control
3/27/2015
6
Resiliency Partner Profile
13th Annual Continuity Insights Management Conference: Next Generation Resilience
21
Independent Risk Management
Business & Operational Units
Crisis & Security Control Teams
Enterprise Risk Management Groups Defines and Manages overall Risk frameworks and operational taxonomies for responding to specific risks in the Resiliency Program and to the Board of Directors
Relationship: Provide KPI and KRIs to all Stakeholders in forums/mediums for appropriate Risk Oversight, and Credible program review and challenge
Resiliency Partner Profile
13th Annual Continuity Insights Management Conference: Next Generation Resilience
22
Independent Risk Management
Business & Operational Units
Crisis & Security Control Teams
Business Line & Operational UnitsManage individual Business Contingency and Recovery Planning through Business Planners, Readiness Coordinators, and Business Risk/Control Officers.
Relationship: Planning, Exercise Coordination, Risk Oversight, Recovery Technology and Support, and Continuity Subject-Matter Expertise to all Business Areas
Resiliency Partner Profile
13th Annual Continuity Insights Management Conference: Next Generation Resilience
23
Development Business Groups
Infrastructure Services Group
Service Management
Groups
Infrastructure Support Groups Manage production infrastructures environments to include: Network, Voice, Mainframe, ISS, Mid-range, MPE, Storage, Data-base and Raised floor, etc.
Relationship: Provide Planning, Exercise Coordination, Recovery Team Training, Recovery Subject-Matter Expertise, Risk Assessment, Reporting & Joint Resiliency Project Sponsorship
Resiliency Partner Profile
13th Annual Continuity Insights Management Conference: Next Generation Resilience
24
Development Business Groups
Infrastructure Services Group
Service Management
Groups
Development Business Groups Manage individual development and recoveryplanning for business technology through application recovery planners and businessrisk managers
Relationship: Provide Planning, Exercise Coordination, Recovery Team Training, Subject-Matter Expertise to Development areas, Reporting, Recovery Technology, and Risk oversight
3/27/2015
7
Resiliency Partner Profile
13th Annual Continuity Insights Management Conference: Next Generation Resilience
25
Development Business Groups
Infrastructure Services Group
Service Management
Groups
Service Management Groups Manage production communications, escalations, change, and incident response for daily technology environments, availability tracking.
Relationship: Provides key Recovery SLA and Objective Risk Dependency process information, Change Control and Coordinated Command-Control major incidents
PARTNER
KEY BEHAVIORS
SUCCESS
• Utilize integrated data points and aligned technology for Planning, Monitoring, Tracking, Operational, and Recovery Components
• Provide Partner real-time access to a base of Trusted information and metrics
• Align Program processes and technologies with Guidance
• Ensure federation with trusted and single source systems of record
Integrate Technologies
27
TRUSTED DATAEstablish Foundational Trust
28
Доверяй но проверяй!
President Ronald Regan to Soviet Premier Gorbachev
Washington Intermediate Range Nuclear Forces Treaty
December 8, 1987
“Trust But Verify”
3/27/2015
8
Communicate Frequently With Partners
29
• Engage with stakeholders Including Independent Risk and Audit Committees - provide Key Program and Key Risk Identification
• Establish a Resiliency Steering and Governance Committee with Resiliency Partners
• Track and Report Resiliency Capital and Non-capital Projects with Partners
• Develop special Off-site Planning and Partner review sessions
• Encourage joint and coordinated industry group participation with partners (e.g. HP, IBM, EMC, Microsoft, SUN, Verisign, SunGard, DRJ, etc.)
• Ensure at a minimum Quarterly and/or Monthly meetings to review key Resiliency Projects and Programs
Joint Projects With Resiliency Partners
30
Resiliency Projects often require very large Capital Expenditures
• Coordinate Executive Communication and Sponsorship with Partners
• Drive joint justification and business needs for Key resiliency expenditures
• Co-sponsor with Infrastructure and Risk areas 3 -5 Year Resiliency Strategies and Capital Projections with dependencies
• Drive a single Resiliency voice and message across the Enterprise
• Advance Business Continuity Program Metrics to support Resiliency Projects (e.g. model the Relationship of Technology to key business strategies and resiliency, etc.)
Resiliency Partner Project
Major Resiliency Project:- Production/DR Data Center and Center Expansion
- One of limited number of Certified Tier-IV Global Data Centers*
*Uptime Institute
Provide Resiliency PartnersContinuing & Early Notifications
32
• Full integration with Emergency Notification and Email Systems to provide effective notification to key stakeholders (exercises, activations, key site messaging, and crisis communications)
• Link Key messaging systems to Mission Critical Processes and Critical Applications and Program Resiliency Data
• Provide automated Partner Notifications and recovery Ticketing for SLA’s , and Exceptions via an Early Warning Reporting System
3/27/2015
9
Provide Resiliency and Program Dashboards and Reporting to Steering Committees, Major Business Stakeholders, and Risk Committees
Continuing & Early Notifications
33
RESILIENCY DASHBOARD
Mainframe• CPU capacity• DASD capacity• Tape capacity• DR Readiness
o Replicationo Infrastructure
Distributed Systems• CPU capacity• DASD capacity• Tape capacity• DR Readiness
o Replicationo Infrastructure
ATM Services• ATM/POS• Mainframe Batch• Wire Transfer• Web Portal Dashboard• Web Admin Dashboard
Infrastructure Resiliency• Floor Space• Utility Power• Generator• UPS Capacity• UPS Battery Life• Cooling• Server Growth
Data Network• Core Network• Intranets• Internet• Branch• Key Partner• Firewalls
Voice Network• Call Center• Call Center A• Call Center B• Call Center C• Trading
• Integrate Resiliency Data across the Enterprise
• Establish Trusted Resiliency Partner Foundations
• Frequent and Focused Partner Communications
• Jointly Support Resiliency Projects and Activities
• Early and Continuing Partner Event Notifications
Key Behaviors Summary
13th Annual Continuity Insights Management Conference: Next Generation Resilience
34
Resiliency Partnership
(Churchill, Roosevelt, Stalin Yalta Circa 1945) Sir Winston Churchill
Prime Minister United Kingdom
“If we are together nothing is impossible.If we are divided, all will fail.”
36
THANK YOU,QUESTIONS
Geno Pandolfi
Peter Laz