Ray StantonExecutive Global Head, Business Continuity,

Security and Governance, BT

Building Resilience for the 21st

Century Organisation

CSARN Wales Conference

Cardiff Millenium Stadium,

19 May 2010

Agenda/ topics covered

Who is BT

Risks Facing National Governments

Choosing your Business Continuity Strategy

Public / Private Partnership in action case study;

CockerMouth - One team in a Crisis!

Key messages & take-aways

Introducing BT Group and its lines of business

• Over 112,000 people delivering service

to more than 170 countries

• In the year end 31 March 2010 BT

Group Revenue was £20,911 Million

with EBITDA of £5,781 Million*

For more information please visit

www.bt.com/aboutbt

Group CEO: Ian Livingston Group CFO: Tony Chanmugam

BT Group plc

BT Operate

Operates and manages

BT‟s network & BT customers

from all lines of business

CEO: Roel Louhoff

BT Innovate & Design

BT‟s R&D Research

Facilities & “Design Factory”

servicing all lines of business

CEO and Group CIO: Clive Selley

BT Retail

IT and Comms

services in the UK

CEO: Gavin Patterson

BT Wholesale

Carrier and

infrastructure services globally

CEO: Sally Davis

Openreach

Provision of fair and equal network access

CEO: Steve Robertson

BT Global Services

Provision of networked IT

services globally

CEO: Jeff Kelly

Group strategy & operations

Customer

relationships

*before specific items, leaver costs, net interest on pensions, and contract & financial review chargess

Risks facing national governments – an example

An illustration of the high consequence risks facing the United Kingdom

Relative Likelihood

Rela

tive

Imp

ac

t

Pandemic

Influenza

Attacks onCritical

Infrastructure

Coastal

Flooding

Major Industrial

Accidents

Major Transport

Accidents

Severe

Weather

Electronic

Attacks

Animal

Disease

Non-conventional

Attacks

Inland

Flooding

Attacks on

Transport

Attacks on

Crowded

Places

Relative Likelihood

Rela

tive

Imp

ac

t

Pandemic

Influenza

Attacks onCritical

Infrastructure

Coastal

Flooding

Major Industrial

Accidents

Major Transport

Accidents

Severe

Weather

Electronic

Attacks

Animal

Disease

Non-conventional

Attacks

Inland

Flooding

Attacks on

Transport

Attacks on

Crowded

Places

Highlighting those risks most relevant to BT

The threats, risks and issues – a BT perspective

Likelihood

3

2

4

5

6

1

1 2 3 54

Impact

6

Example Reporting Security & Continuity Risks within BT

KEY

Pandemic flu

Industrial action

Supplier/contractor failure

Data security breach

Theft of physical assets

Network attack (physical)

Accidental cable damage

Fire/explosion/terrorist bomb

Network attack (logical)

Breach of contract

Employee malice/corruption

Revenue fraud

Riot/political unrest

Natural disaster or climate change

Power failure

System/equipment failure

Product liability

Attack on employees

1

18

17

16

15

14

13

12

11

10

9

8

7

6

5

4

3

2

Security & Continuity Risks – Logical Grouping

SERVICE INTERRUPTING

Product Liability 17

System Failure16

Natural Disaster 14

Cable Damage 7

Power Failure15

NON-MALICIOUS

Pandemic Flu

1

Attack on Employees

18

Revenue Fraud12

Employee Malice11

Theft of Assets

5

MALICIOUS

Logical Attack 9

Physical Attack6

Fire/Expl‟n/Bomb8

Political Instability

13

Data Security4

Industrial Action

2

Supplier Failure

3Contract Fulfilment

10

NEGLIGENT

INC

RE

AS

ING

IM

PA

CT

Representing Risks on Impact vs. Likelihood Diagrams

Very simple and subjective representation: The three zones of risk call for different approaches to risk

management:

1. BaU zone

2. Managed risk zone

3. “Black Swan” zone

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0 100 200 300 400 500

Impact (£m)

Lik

elih

oo

d (

%)

More realistic, comprehensive and objective representation:

“Risk Frontier” curve with

distribution of values for

Impact & Likelihood

BaU zone

High frequency incidents

Efficiency and reliability issues

CE / RFT problems

Predictable

Historical data available

“Black Swan” zone

“Tail” of the distribution

Perceived threats & fears

Worst credible scenarios

No experience or data

Managed Risk zone

Major incidents

Expert judgement

Limited data (not just BT‟s)1 2 3 54

Net Impact

61 2 3 54

Net Impact

6

Ne

t L

ikelih

oo

d

3

2

4

5

6

1

Ne

t L

ikelih

oo

d

3

2

4

5

6

1

X

Single point and

values of Impact

& Likelihood

BT‟s Risk Register Hierarchy

S&C Risk

Register

RISK 1. Pandemic

flu

S&C Risk

Register

RISK 15. Power

failure

S&C Risk

Register

RISK 6. Industrial

action

S&C Risk

Register

RISK 9. Network

attack (logical)

Info Ass‟ce Risk

Register

RISK 1. Power source

disruption

Info Ass‟ce Risk

Register

RISK 3. Overloading

C&C infrastructure

Info Ass‟ce Risk

Register

RISK 2. Electronic

interference

Risk Mitigation

ACTION 1. Protected

dual power supplies

Risk Mitigation

ACTION 3. Improved

site security measures

Risk Mitigation

ACTION 2. Standby

generator upgrade

Group Risk

Register

RISK 6. Failure of

Corporate Resilience

Group Risk

Register

RISK 7. Threat of

Industrial Action

Group Risk

Register

RISK 5. Funding of

the Pension Scheme

Choosing your strategy:

Where to deploy Business Continuity?

Colocation of critical IT systems, back-up, mirrored data centres.

Often built-into BPO contracts, with additional hardware

Redundant (often virtual) space for disaster or contingency

planning, relocation services and emergency contact centres

Mirrored and alternative bandwidth and connectivity plans,

including mobilised and distributed capability

Distributed workforce, but also multi-skill staff crossing-over

workloads to ensure resilience. Defined lines of responsibility

Redundancy in systems and processes. Understanding of

prioritisation in service delivery

Source: IDC Research for BT; November 2007

IT

Connectivity

Physical

Processes

People

Remember basic principles – the Business Continuity Lifecycle

• Logical methodology

• Ensures appropriate solutions

• Accepted best practice

• Framework for continual improvement

• Continual engagement with customer

• Solutions not products

BCM

Programme

Management

Benchmark against Best Standard: eg. BS25999

• Worldwide standard for business

continuity management

• Widely accepted

• Is the only BC standard that can be

certified against

• Full range of complimentary

professional services

Public / Private Partnership in action

How does BT discharge its Civil Contingency Obligations as a

Category 2 Responder?

2 Senior Managers and a virtual team of 80+ liaison managers

(Regional and Senior Operational managers)

Responsible for:

▬ Attending local (54 LRFs UK wide) and Regional (12 RRFs UK wide) Resilience meetings

where appropriate (Chief Constable/ CEO level);

▬ Attend exercises where appropriate at Regional or Local level

▬ Information share where appropriate (BCM resilience opportunity); and,

▬ Attend Multi Agency „GOLD‟ commands during and incidents (85% of the BT liaison

manages are trained at GOLD command level)

„One Team in a Crisis‟ Cumbria – November 2009

BT Initial Response & Establish Control

Lead by BT most senior „on call‟ executive

• Initiated a Threat assessment and Response Group (TARG) comprising of key

Business Unit leads (Network Management, Incident Management, Market facing

Units, Media Ops, HR, Legal, Property, BCM)

Initiated a BT Gold Coordination Group

• As a result of the TARG formed and Chaired BT Gold throughout BT‟s response.

Linked into the Multi Agency Strategic Coordination Group (SCG)

• Directed the brief and deployment of the BT Liaison Manager to Cumbria SCG by

the Civil Resilience Duty Officer

BT Recovery & Return to Normality

BT Incident Management Team (BT Silver)

• Initiated traffic rerouting round the damaged network to restore service ASAP, assembled

teams of fibre optic and copper cable specialist to divert or build temporary network around

Northside bridge area (three months work concluded in seven days);

BT Liaison Manager - secured support from Cat 1 & 2‟s

• Specifically Cumbria County Council and Network rail allowing temporary network to be

constructed over the rail bridge to the west of the collapsed Northside bridge;

Support to Responders by BT Bronze Teams

• In addition to repairing the devastated network in Working ton BT technicians also provided

specialist communications support in Cockermouth and across Cumbria supporting agencies

by restoring lost services or provision of temporary service to aid their response;

Support to the Community by BT Bronze Teams

• Provided return to Premises support to communities across Cumbria by testing internal

network and equipment before allowing use .

Solutions from BT addressing organisations BC/DR needs

• Recovery of voice, IT, premises and communications in the event of

disaster within agreed recovery time objectives

• BT Commsure in UK providing full voice and data recovery services

• Provision of secure mobile communications, enabling location

independent operation

• Flexible working and home-working solutions to enhance

pandemic preparedness

• Secure and highly dependable IP infrastructure

• BT‟s WAN provides basis for next generation converged solutions

with quality of service and reliability

• Secure and resilient hosting of client systems in BT data centres

• Fail-over service – full client system duplicated in BT facility

• Storage (e mail archiving, data vaulting etc)

• Full end-to-end lifecycle based on emerging (BS 25999) standards

• Business case and benchmarking against industry best practices

• Process embedding, not just a one-off, box-ticking exercise

Business Continuity

Consulting

Resilient Data

Centre Services

Resilient

Communications

Mobile and

Flexible Working

IT and Disaster

Recovery

In summary, our opinion and take-a-ways

In our opinion

• The risk environment is more volatile, not less;

• Your stakeholders will demand protection of their

assets and proof that your business is resilient;

• Strong business continuity strategies, following basic

principles, are the best way to protect your

organisation.

Take-a-ways/ food for thought:

• Look to share technology and operational risks with

trusted, qualified partners and similar organisations

on common ground!

• Introduce common Risk Management standards now

to deal with the continuing convergence of networks

and the applications that depend on them;

• Risk is not going away, embrace it now!

• Plan, plan and plan again, but get on with the execution

now – but remember, fail to plan, plan to fail!

“There cannot be a crisis next week.

My schedule is already full”

Henry Kissinger

In the end – it‟s all about

avoiding problems before

they happen!

ray.stanton@bt.com www.bt.com/security