Organisations are facing increasing technology threats from cyber security, workforce disruption and changing stakeholder expectation from an Environmental, Social and Governance (ESG) perspective. Our client an ASX20 listed organisation, has seen significant growth over the past decade with a commensurate requirement for focus on managing risks to its operations and enabling future growth. A key component of ensuring the client is prepared to manage threats and minimise disruptions to its business are sound strategies, plans and procedures to manage disaster events that may impact critical technology.
The Scope
We initiated a program of work to measure the level of preparedness (Maturity) to respond in a Disaster Event and to improve the maturity of its capabilities to improve overall resilience and service continuity.
Veev Group, using its tried and tested business impact assessment and technical risk analysis methodology, developed a program of work with the following strategic objectives in mind:
- Consideration of business impacts is at the forefront of DR Planning
- Focus on the critical systems is prioritised in the initial phase(s) of DR Strategy and Planning;
- Organisational capability, both people and process, are developed to ensure an ongoing ability to maintain and improve maturity in DR;
- Business and Technical Owners are clearly identified and aware of their responsibilities; and
- DR processes are integrated into broader organisational processes such as crisis management, risk management and corporate communications.
Our Approach
Our focus in the initial phase was to work with the business to perform Business Impact Assessments (BIA) for the critical systems, identifying the Recovery Point and Recovery Time objectives (RTO & RPO) for each of the systems and agree a prioritised list of critical systems to perform the Technical Risk Analysis (TRA).
Veev Group ran BIA workshops with key business and technical stakeholders to map out existing business continuity procedures and formally agree the criticality of each of critical in scope systems.
In parallel, a review of suitable contract terms and conditions for SaaS based systems, a subset of critical systems was assessed for technical risk (TRA) along with analysis of locations and underlying infrastructure to identify risks and highlight areas for remediation.
During this initial phase a DR Strategy was developed and agreed with the client, along with a roadmap to move up the maturity curve. Veev Group’s model for measuring maturity focusses on 5 levels that measure the client’s process maturity from “Ad Hoc” to “Resilient”. The roadmap was developed around the Client’s appetite for risk and desired state of maturity and included remediation activities, development of system recovery documentation and governance processes to maintain and improve maturity levels over agreed timeframes.
Next Steps
From the onset of this project, the Client has had a clear view on building an ongoing capability to embed Disaster Recovery requirements within the day-to-day operations of the organisation. Whilst initially reliant on external assistance the goal is to develop an in-house capability to conduct ongoing BIA and TRA processes, with regular review of existing and new systems to ensure the resilience and recoverability meet business expectations.
The focus of the next phase of the project is to train internal resources and embed the processes required to ensure resilience and recovery of critical systems forms part of the organisations Change Management, Project Management and Procurement methodologies.
With the required capabilities embedded into the Clients people and processes the goal will be to expand the coverage of Disaster Recovery to all systems, with an appropriate level of maturity targeted based on risk and RTO / RPO requirements.