Part #1- BC/DR For Hosted Services (Understand the Cloud)

BC/DR planning for the cloud is confusing to some people because the “cloud” is as-broad-as-the-sky. Today, cloud solutions and services simply means IT Systems and Applications that is supported by an outsourced provider (outside of your datacenter). These providers use traditional technologies like routers, firewalls, servers, virtual machines, and databases like those that are deployed in your datacenter. They are mostly running commercial applications.

Cloud solutions are also referred to as hosted or SaaS (Software-as-a-Service) solution. It is attractive to buyers because you can get Applications up and running fast and have no maintenance responsibilities. You don’t have to worry about purchasing hardware or hiring top dollar technologies to keep the lights on and keep the systems secure. All you need to do is pay a fee for someone else to take care of it for you and in return, they provide you a Service Level Agreement (SLA), uptime agreement, to meet your needs.

There are some basic concepts about Cloud or hosted services. It can be setup as dedicated or shared environment. There’s also the concept of the public or private cloud. A true cloud model should be able to swap technologies dynamically so all the systems are use economically. (Note: A dedicated hosted environment is not really a Cloud model. A true cloud architecture should always be shared.) This all happens in the backend, seamless to the users. You can learn more about the different Cloud architectures here.

Operational Resiliency is NOT Disaster Recovery

Since our hosted providers are constantly managing systems at profitable capacity level, meeting your daily operational SLA is their top priority. This means they are constantly balancing to have the least amount of resource in place at any time. Thus, contradicts what you need for disaster recovery. Another words, to keep traffic moving, everyone must keep up with the speed limit. Once there is a crash, there will be a traffic jam because the road is not going to magically expand to let traffic flow. Infrastructure setup and assets are costly, acquisition and capacity planning for them is costly.

Thus, asking your cloud provider if they have a disaster recovery plan for the big traffic jam does not tell you what your Recovery Time Capability (RTC) is. If they have a plan and test their plan, it tells you that they have a chance of coming back.

Lesson #1: Consider a BC/DR Plan for your critical cloud applications. Do not rely on other people’s plan unless you’re their top customer. 

Note: This is the first of more BC/DR planning for the Cloud. Come back or follow me on Twitter for more.

 

 

Moving pass BCM 101

Hi all, I just got back from DRJ Fall World in San Diego yesterday and what a beautiful place to meet other BCM professionals. Thank you DRJ for organizing such a great networking event.

Since the time I’ve been in the industry, one trend I’ve noticed was that there were a lot of people who’s been in the industry for a long long long time but yet, some people are still talking about the same BCM 101 topics. It’s almost like a broken record. I’m not sure some of you are like myself who are in that 50+ percentile of professionals in this industry who actually have and continue to obtain senior management support for your initiatives. If you’re like me, you may be interested in moving pass the BCM 101 conversation. I like some meat with my potatoes please!

So here’s my question to you, what topic would you like to see discussed? Send me a comment with your suggestions and I will get back to you. Thanks in advance!

Misuse of plans. Responding to a terriorist threat is not the same as a protest threat by non-terriorists

A recent chain of protests against BART (Bay Area Rapid Transit System) has activated the agency’s crisis management plans, or maybe the BART’s demostration of misuse of plans. During a series of protesting incidents, the agency made several decisions that is under questions by the public, activating plans typically for terrorist threats instead of protesting threats.

The San Francisco mayor is seeking a SEC investigation on BART.  Leading up to this investigation was two major decisions that BART made, causing major negative public impact for months to come. 1. The decision to shut off cellphone services in the subway station and 2. the attempt to control the media and citizen responses to the situation by providing scripted and paid media events to respond to the incident. (Paid by tax dollars)

Both decisions are now under investigations and is causing a major negative public uproar. The harm is still spreading, causing outrage from it’s own Board of Director and the hacker community. Hackers are attacking BART related websites. The hacker community is posting tweets on Twitter that this is only the beginning.

Lesson’s learn from this incident:
1. Crisis Management is based on a team and activation model - as part of your Crisis Management plan, assemble the appropriate teams to make decisions and clearly outline the escalation and activation plans is a core activity. In a crisis event, you may not be able to predict everything that could happen, but it is absolutely critical to have a plan in place for the right leadership team members to govern the situation.

2. Identify All Your Possible Threats via a Risk Assessment and Be Prepare for them – A respond from a BART contact said they do not have any experience handling protesters. I think this is a weak response and is not an acceptable reason. You’re setting the wrong precedence to all other agencies and corporate responsibilities.

Learn more about the BART protest here.

Lessons Learned from Japan

For most BC professionals, it is interesting to see how disaster unfolds when it happens to someone else. I see it as an opportunity to learn from other’s mistakes/weaknesses, and leverage what worked.

Here are some of my lesson’s learn from the devistating Japan disaster.

1. Plan for loss, not the scenario. Don’t worry so much about the nature of the disaster in your plans because it could be an earthquake, a tsunami, or both! Focus on the nature of the loss when planning for BC. I still think it is almost irrelevant what event happens because there may be infinite scenarios that could be disastrous. If you focus your BC effort on the loss of facilities, people, and technologies,you free up resources to focus on the more important, actionable part of the program – risk mitigation, recovery strategies, and training & awareness.

2. Plan for basic needs. Food and water people! Often time, I don’t see enterprise BCP plans that address the simplest basic human needs. Is this the responsibility of the enterprise or individual? Well, if you asked me, I think if personal needs are not met, you will not have the bodies to help bring up the enterprise. So yeah, Enterprise, this is your business too. You need to make sure critical staff have plans to obtain basic food and water that is safe for them and their family so they can be available to help care for the company. Either that, or make sure you budget the RTO for this need to be taken care of.

3. Last, have really strong infrastructure. If the house you’re living in is flimsy, forget about salvaging the place. If your building, telecommunication, and technology infrastructure is not solid, don’t worry about having any BC/DR plans. Because you won’t need them. Having a solid infrastructure is not only a good BC/DR practice, it’s good operational practice. You will gain from the investment everyday, not only when disaster is declared.

Disaster Planning – The Basic

Another gas explosion killed six people and one minor at a resort in Playa del Carmen, Mexico. Just a few months ago, on October 2010, there was a major gas explosion in San Bruno, CA, killed 4 people, transformed neighborhood, and changed lives. Prior to the accident, the British Petroleum (BP) oil spill also caused major damages and deteriorated many local residents from providing for their family. As a risk practitioner, I tell my clients that catastrophic events can happen anytime and can cause by many types of events. However, can we better manage our risks?

Risk management has recently become a hot area of focus for many companies however; it is a discipline that’s been in practiced informally for decades. The biggest difference now is that it’s no longer optional, it is required by the board, regulators, and most importantly, by shareholders. As a result, the discipline is better funded and companies are better prepared at balancing and preparing for disasters.

Preparing for disasters means you don’t wait until a disaster happens to remediate gaps. At the same time, risks can never be fully eliminated because the cost may be too high to cover the “what if”. Thus, at the very minimum, here are some basic strategies to address. These strategies applies to small, medium, and large companies and as well as individuals.

1. Safety, Food and Shelter – Do you have a plan to seek safety, food, and shelter that can provide you the basics, immediately after a disaster? If not, research your options, put a plan together for your company and family, and establish the appropriate relationships you need to improve the situation, or stock pile your needs, in case you need these resources.

2. Communication Plan – The first thing after an incident, you need to connect with your love ones and account for the safety of your staff. At the same time, under normal conditions, we take our communication tools and channels for granted. Cell phone towers will be overloaded if they are not down. You need a plan where your family and staff can coordinate to communicate with each other.

3. Financial Loss and Protection – Review your existing assets and future financial need if you were to rebuilt your company or life. Do you have the coverage to kick start this process? If not, what is your plan to get the proper protection you need?

4. Personnel and Family Trauma – I strongly believe that our psyche is extremely powerful but unfortunately, it is the most neglected aspect of taking care of basic human needs. Do you have resources you can turn to for peer, family, spiritual and professional support when you are in need of it the most?

Planning to put the proper support structure together takes time and/or money. If you put in the time, it may reduce the cost to your pocket book in the future and vice versa.

How Much To Spend on BCP and DR?

I’ve often been asked how much companies usually spend on BCP and DR. So when I came across this article, I thought I’d post this and share with you.

“Business continuity and disaster recovery represents between six percent and seven percent of the typical IT budget.” Click here to read more.

What’s Generally In-Scope for DR?

Disaster recovery (DR) scope is generally grouped in several tiers (service level) and the requirements for DR is discovered through the Business Impact Analysis (BIA). For the sake of this blog, I’m giving DR a Tier 1, 2, and 3. Tier 1 is typically < 24 hours RTO (management tolerance for downtime), tier 2 is < 2 weeks and tier 3 is usually > 3-4 weeks RTO for most companies.

Systems typically in the tier 1 group are applications that supports your business’ product, revenue, and financials. In addition, IT infrastructure components are also highly critical. For example, telecom, core network, VPN, DNS, DHCP, Active Directory, Network Share Drive, and File and Print Servers are critical to the continuity of business.

Top 5 Reasons Why Companies Outsource BCP

1. When skill set is not available. The key knowledge staff that used to be with the company is no longer available to support business continuity.

2. When you have to execute BCP timely. BCP is required for regulatory and operational risk management but individuals in your organization do not have the time, training or experience to deliver key BCP and risk documentations timely to pass internal and external audits.

3. When you’re looking to get independent advice on making decisions. Management is looking for a guidance based on best practices from other companies. Sometimes, tapping internally resources can be limited to the experience and culture of the company. Obtaining independent advice may be more objective to approach decision making.

4. When innovation is required. The nature of the business is new and cutting edge. Traditional risks and continuity plans may not be a good fit for the business. Management is looking for highly specialized professionals who can creatively think outside the box.

5. When economy of scale makes sense. Management is looking for experienced individuals with the network to get the best solution and the most competitive pricing for recovery solutions.

Procure To Pay Cycle

Procuring is the process of finding vendors, qualifying vendors and buying from vendors. The pay process is the process of invoicing, verifying, and paying vendors. Depending on the size of your company, some or all of this process can be performed in the procurement, purchasing, account payable and business application / IT function.

The Procure to Pay process consist of the following sub-processes:
1. Creating Purchase Requisition
2. Creating Purchase Order
3. Creating Receipt
4. Creating Invoice in AP
5. Paying the Invoice
6. Transfer, Import and Post to GL

Controls:
A.Purchase Requisition Controls – ensure that the purchase is valid and approved prior to the expenditure
  1. Approval for the purchase requisition
  2. Purchase requisition is approved for an approved vendor in the vendor master list
  3. Approver’s signature authorization limit

B. Vendor Master Controls – ensure that the vendor has been validated before set-up on the vendor master.

  1. Segregation of duties controls are exercised when granting system access to the vendor master.
  2. All vendors require a W-9 prior to set-up on the vendor master.
  3. In some cases a vendor profile form is required. (i.e. global vendors)
  4. Vendors are screened against business unit and other government requirements and watch lists or according to company policy.
  5. Inactive vendors are flagged or purged on an annual basis at least every 12-18 months
  6. Changes to the vendor master are accurate and reported for audit purposes.
  7. Address of vendor is validated as accurate and reported for audit purposes.
  8. Updates to employees on the vendor master are accurate and complete.
  9. Electronic Data Interchange (EDI) vendors are properly set up and appropriately validated.
  10. There are standard vendor naming conventions.
  11. Duplicate vendor remit to addresses are reviewed with appropriate action taken.
C.Invoice Processing Controls – accounts payable function is responsible for the timely and accurate processing of invoices
  1. Segregation of duties controls is exercised when granting system access to invoice processing functionality.
  2. Vendor is paid only once for the goods and services delivered.
  3. Discounts are taken if appropriately approved.
  4. Vendor invoice is paid upon validation with goods received and purchase order. Blocked three-way match exceptions are not processed and are monitored by Accounts Payable for clearing.
  5. Vendor is paid at the appropriate price in accordance with the terms and conditions of the contract.
  6. Payments to contract labor vendors do not exceed the authorized amount.
  7. Purchases are authorized and in accordance with the company’s approval levels. Third party support (invoices/contracts) is sent directly to Accounts Payable.
  8. Interface, EDI, and spreadsheet upload transactions are accurately and completely transmitted to the Enterprise Resource Planning (ERP) system.
  9. Transaction is accurately reflected in the general ledger; Accounts Payable reconciliations for aging and clearing accounts are promptly performed and reviewed in a timely fashion.
  10. Invoices are processed according to invoice payment terms.
  11. EDI transactions are accurate and completely recorded in the organization’s ERP system.
  12. Disbursement Controls – to detect and prevent fraud within a timely manner.
  13. Check requests should be routed to the appropriate personnel for review prior to payment release.
  14. For audit purposes, disbursement activities should be traceable to the general ledger and bank statement.
  15. Approved purchase orders, receiving transactions, and invoices must support requests for payment.
  16. Vendor discounts should be taken according to company policy.

D. Disbursements Controls – disbursements must be recorded in the period the payment was made.

  1. Expenses must be properly and accurately recorded in the accounting records during the period in which the liability was incurred.
  2. Blank checks should be properly stored and safeguarded in a secure area.
  3. Ensure proper accounting for void or canceled checks.
  4. Specific limits of signed authority must be established for bank accounts.
  5. Banking and disbursement information must be safeguarded from loss or destruction.
  6. Checking accounts must be provided with a “match pay”, “positive pay”, or “positive payee” control that permit a preview of checks presented to the bank for payment.
  7. Check requests are used for the proper purpose and are limited in value.
  8. Ensure that the Automated Clearing House (ACH) network accounts have debit blocking capabilities to ensure that no unauthorized debits can be placed.

Process Optimization:
• Enable end-to-end process ownership from requisition to purchase order to payment. By reducing multiple purchasing groups, the organization can negotiate terms for the company’s strategic play.
• Create an urgent, non-urgent, and small amount spending process and streamline or automate the approval and reconciliation process.
• Optimize complex contract purchasing process with suppliers. Integrate the buying process with suppliers using ERP and EDI systems between companies.
• Bring the procurement process online to integrate and automate the purchasing lifecycle process.

Recommended Application:
1.SAP
2.Oracle
3.Ariba
4.PurchasingNet
5.Computron
Please email me if you like to add additional application to this list.

Reference:
1.http://www.erpschools.com
2.http://www.businessstrategy.com/
If you’re an expert in this process, I’d love to list your resources here. Please email me with a link to your site.

SOX Compliance Threats

Below is the list of the 10 threats to SOX compliance published by Deloitte.

10 Threats to Compliance Companies working toward section 404 compliance should be especially alert to the following threats to compliance:
1. Lack of an enterprise-wide, executive-driven internal control management program
2. Lack of a formal enterprise risk management program
3. Inadequate controls associated with the recording of nonroutine, complex, and
unusual transactions
4. Ineffectively controlled post-merger integration
5. Lack of effective controls over the IT environment
6. Ineffective financial reporting and disclosure preparation processes
7. Lack of formal controls over the financial closing process
8. Lack of current, consistent, complete, and documented accounting policies and procedures
9. Inability to evaluate and test controls over outsourced processes
10. Inadequate board and audit committee understanding of risk and control

Governance, Risk, & Compliance