As part of an effort to improve companies' disaster preparedness, the Financial Services Technology Consortium (FSTC) has completed a framework for measuring businesses' operational resiliency. The Resilient Enterprise: Benchmarking for Maturity initiative is a collaborative effort begun in 2005 between the FSTC and Carnegie Mellon's Software Engineering Institute CERT Program (Pittsburgh), along with banks and technology providers.
According to Charles Wallen, the New York-based FSTC's managing executive, the project offers a disaster preparedness road map for companies. "Our focus on resiliency is driven by business continuity and the security of IT operations," he says. "Banks are the most mature kinds of companies in handling operational risk, so that's why we started to work with them first."
But managing business disruptions is a collaborative problem that goes beyond banks, Wallen adds. It affects telecommunications, utilities, transportation, government agencies and a host of other organizations, he notes.
Wallen says the FSTC worked with 10 large financial services companies to see how they measured on key metrics of operational resiliency. At this point, the project members have completed creating a framework against which to benchmark operational resiliency and are implementing it across their organizations.
Pittsburgh-based PNC Financial ($139 billion in assets), for instance, already has implemented the new measures, according to Jeffrey Gerlach, manager of business resiliency at the bank. "We have recently benchmarked our organization using the Resiliency Engineering Framework [REF] with outstanding results," Gerlach relates. "With firms of all sizes looking to improve operational resiliency, this next phase of this ongoing effort should prove to be extremely valuable ... across all industries."
The FSTC/CERT partnership originated out of coincidence, as both were working on similar projects, says Rich Caralli, technical lead for the CERT REF project. CERT wanted to "bring a process improvement approach to operational resiliency. We wanted to create an objective measuring tool for organizations to use to look at resiliency and benchmark themselves against other institutions," he explains. "We're bringing a quantitative view to the process and are defining what the true process improvements are."
Added Efficiency, Too
Not only will the framework provide organizations with a way to measure their preparedness, it also will create efficiencies by eliminating duplicated efforts around business continuity within companies, says the FSTC's Wallen, who emphasizes that the framework does not consist of any specific software recommendations. "It doesn't force an organization to change what it does," he notes. "It's just a process. So if an organization uses other standards, such as ISO, it will plug into this framework. We didn't want to create another set of practices for companies to adhere to -- it's something to help them make sense of everything."
Banks have had access to the framework since last September, says CERT's Caralli. Now, however, it is available for download in the public domain. "We created a truly agnostic model that applies to all industries," Caralli states, adding that the next step will revolve around educating companies about the Resiliency Model. He says an appraisal program also will be established to help companies employ the measures.
"Managing risk isn't a technology problem," notes Caralli. "The problem is in determining where to invest your dollars. The framework lets organizations take a proactive approach to where to invest money to reduce risk and comply."