Embed Size (px)
DESCRIPTION
PWC Presentation by Chris Gould on Infobez-2011
Citation preview
Is there a need to invest in BCM?October 2011
www.pwc.com
The Business Case
01There are many reasons for taking BCM seriously – but not all of them are relevant to our market.
PwC 3
We are facing increasingly evolving risks which impact our businesses
Over time
Com
ple
xity
Localproduction
OutsourcingOff shoring
Integrated supply chains
Fire
IT failure
War against terror
Pandemic flu
RegionalUnrest
(Caucuses)
Credit crunch
International disaster
(Japan)
PwC 4
And this becomes more complex as organizational models evolve
IT
Logistics
Payroll
Strategy
Site Site Site Site
Site Site Site Site
OpCo OpCo
Process Process
Governance
Classic organisation
IT
Logistics
Payroll
Process
OpCo
Function outsourcing
Business Processoutsourcing
Brand & franchisemodel
Strategy
Site Site Site Site
Site Site Site Site
OpCo OpCo
Process Process
Governance
Brand Brand
Strategy
OpCo OpCo
Governance
Brand
Site Site Site
Strategy
Governance
Brand
Site
PwC 5
Supply chain disruption
Loss of business opportunities
Damage to company reputation
Loss of market share
Does it matter?
A breach in industry regulation
Loss of market value
PwC 6
High impact, low probability
KNOWN RISKS EMERGING RISKS UNKNOWABLE RISKS
Happened before
Cause
Impact
Probability
Several competing plausible models as to
how reality might unfold
Unforeseeable
Have not yet emerged
e.g. earthquake, major debtor default, supplier
failure
e.g. major terrorist act, climate change
e.g. volcanic ash cloud?
“Black swans”
PwC 7
Does it matter?How value is destroyed in companies
39% 28%
19% 14%
Demand shortfall
Customer retention
Integration problems
Pricing pressure
Regulation
R&D
Industry or sector downturn
JV or partner losses
Macroeconomic
Political issues
Legal issues
Terrorism
Natural disasters
Cost overrun
Operating controls
Poor capacity management
Supply chain issues
Employee issues incl. fraud
RegulationCommodity prices
Debt and interest rates
Poor financial management
Asset losses
Goodwill and amortisation
Accounting problems
Strategic Operational
Hazard Financial
Bribery and corruption
PwC 8
The case for Business Continuity ManagementImpact on value
Source: Knight / Pretty 1996 – 2010
Companies with a positive approach to business continuity
Other Companies
Sta
keho
lder
val
ue
Non-recoverers
Management skills and response
Stakeholder communication Time(250 days)
Recoverers
Insurance alone is inadequate
Plans need to be implemented
PwC 9
BCM cause and effect
DiseaseSARS, Pandemic flu, BSE
Loss of staff GovernanceSarbanes Oxley, Basel II
Terrorism9/11, 7/7
Infrastructure disruption
Civil legislationCCA
CatastrophesNew Orleans, Floods,
Earthquakes
Loss of assets Trading partnersClients, Suppliers
FraudEnron, Leeson
Loss of reputation
MarketsInsurance, Money
Loss of supply StakeholdersInvestors, Staff
System FailureIT failure, Safety systems
Loss of revenue, Loss of competitive position
Events / Threats Business impacts Pressure for BCM
PwC 10
BCM cause and effect
Events / Threats
DiseaseSARS, Pandemic
flu, BSE
Terrorism9/11, 7/7
CatastrophesNew Orleans,
Floods, Earthquakes
System Failure
IT failure, Safety systems (Hatfield)
FraudEnron, Leeson
Business impacts
Loss of revenue, Loss of competitive position
Pressure for BCM
Loss of staff
Infrastructure disruption
Loss of assets
Loss of reputation
Loss of supply
Governance | Sarbanes Oxley, Basel II
Regulations| e.g. CBR
Trading partners | Clients, Suppliers
Markets | Insurance, Money
Stakeholders | Investors, Staff
Defining BCM
02So what do we mean by BCM?
PwC 12
What are we talking about here?Definitions
“A holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand andvalue-creating activities.”
BS25999 Part 1 Code of Practice
PwC 13
What is good practice?
BS25999 (Pt 1 & 2)
BS25777
FSA Good Practice Guide
ISO 27001
BASEL II/III
Sarbanes Oxley
Data Protection
PwC 14
BIAs– Do plans cover end-to-end
business processes?– Do plans vary according to
criticality?– How were the products/services
prioritised?
Decision making– What is the evidence of action
based on BCPs– Do business-decisions take BCM
into account
Exercising– Real life responses– Thought-through programmes
What do I look for?
Governance & responsibilities– Central but light control– BCM Champion– Board / executive involvement– Business leadership involvement
Supply chain– Specifically taken into account
Integration with Risk Management– Influences insurance– Feeds into Risk Register– Investment consistency
Culture / Comms– Systems for maintenance– Availability of plans, knowledge
of plans– Team Structure
PwC 15
Five questions to ask yourselves
Are the plans fit for purpose and easy to use? Are they up to date?
Do we have the right plans? 1
Are they involved? Do they know the recovery priorities, what will happen in a crisis? Who does what and where?
Is the board on top of this? 2
Does this link back to the board? Have accountabilities and assurance been defined?
Is the governance right?
3Have the plans been rehearsed effectively and regularly?
Will the plans work? 4
Are sensible choices being made between expenditure on different risk treatments? Can people explain how much is being spent on resilience and why?
Are we spending wisely? 5
How to Approach BCM
03BCM project basics
PwC 17
Project ManagementNeed to ensure a pragmatic approach sensitive to your culture and requirements. Need to work closely with the audit and risk management personnel staff to ensure that there is consistency across these activities.
GovernanceBCM must be integrated with your wider risk management activity, and recommend the necessary governance for BCM . It is imperative to select the best team structure to plan and assure your BCM capability and to respond in a crisis.
AnalysisIn developing your BCM capability, you need to will establish a clear understanding of your organisation its structures and systems, internal and external interdependencies, suppliers and stakeholders, and the resources required to recover your business quickly following disruption. This information is essential for BCM to support prioritisation, planning and strategy.
Project componentsStrategyNext we need to determine options for recovery strategies and facilitate the select of the most appropriate to ensure your investment in BCM is targeted appropriately. Note that some strategies may require additional work and expenditure outside the scope of this project (for example, if additional IT recovery capabilityis needed).
PlanningDuring the programme you need to develop simple effective crisis management, business continuity and incident response plans that are easy to use and simple to maintain. These plans shouldbe owned and maintained by those who will actually use them.
Rehearsal & Validation – Embedding capability Completed plans and the response teams should be exercised – this is vital to ensure they work as expected. This will outline the programme required for exercising and also to implement the BCM system required to ensure that the plans are kept up to date.
PwC 18
Governance ProjectManagement
Policy and framework
Governance
BC Management System
UnderstandStrategic
Business Impact Analysis
Department BIA BCM Strategy
PlanIncident
Management / Crisis Plan
Process Recovery Plans
Dependency Plans
Business Continuity Plans
Embed Programme Design
Exercising
Training and Awareness
Review
Project work streams
PwC 19
Governance
Programme Management
Activities
Outputs
• Project plan
• Summary of information available
• Kick Off meeting
• Information gathering
Policy & FrameworkActivities
Outputs
• BCM policy & framework
• Governance framework, including a steering group
• Establish a governance framework
• Confirm BCM policy
• Develop BCM framework
Management engagement is vital to the success of any BCM programme.
Need to work closely with management to ensure that we clearly understand your business and your existing BCM capability.
In doing so you will capture your existing view of your structures, internal and external inter-dependencies, suppliers and stakeholders and identify at a high level your most critical processes and supporting resources that support your Value Chain and strategic objectives.
This sets the scope of BCM within Age UK and enables you set up appropriate governance for your BCM Programme.
Lastly you need to build a BCM Framework that is appropriate to your organisation.
Governance Understand
2-3 weeks elapsed
Plan Embed
PwC 20
Understand
BIA
• Validated and prioritised activities
• Documented Business Impact Assessment
• Review of existing material
• Meeting with SMT to validate
• Detailed follow-up interviews to detail requirements, preferred strategies, and risks
BCM strategy
• Recovery priorities
• Recovery strategies
• Identify exposures and potential strategies
• Strategy workshop
• Document chosen strategies
Having agreed a common view of your key business activities and identified at a high level the most critical processes and supporting resources that support your strategic objectives you need to analyse the exposures for your organisation.
Through review of existing material, interviews and workshops with your management the BCM team needs to identify and agree your recovery priorities and develop strategies for business recovery.
Governance Plan EmbedUnderstand
Activities
Outputs
Activities
Outputs
3-5 weeks elapsed
PwC 21
Plan
Crisis Mgt. and Incident response
• Incident Response plans for each location
• Crisis management plan
• Meet site response teams
• Agree and document incident response procedures
• Agree composition and procedures for Crisis Mgt team
• Agree plan templates, and develop CMP
Business recovery plans
• Business recovery plans for each department
• Agree templates and draft BCPs
• Review drafts with departments
• Finalise plans
Working with the people responsible for responding to incidents at each location, you need to consolidate procedures into consistent plans for each site.
Working with the steering group, you need to identify members of the crisis management team, and develop and documents crisis management procedures, dovetailed with existing PR arrangements, into a crisis management plan.
Working with departmental leadership, need to document key recovery strategies and actions into simple departmental plans.
Governance Plan EmbedUnderstand
Activities
Outputs
Activities
Outputs
4-6 weeks elapsed
PwC 22
Embed
KnowledgeTransfer
• Walk-throughs – team awareness of plan contents
• Plan walk-throughs with response teams
• Coaching and knowledge transfer to nominated Age UK staff throughout process
Embedding programme
• High level communications plan
• High level exercise programme
• Recommended BCMS
• Agree communication requirements
• Agree approach to exercising, and design high-level exercising programme
• Agree BCMS
Embedding BCM capability is critical. This engagement does not fully address this requirement, which is long term.
In this step you need to walk through the plans with the various plan owners so that they understand the contents.
You also need to provide determine how to implement exercising and training programme, a communications programme, and a business continuity management system (to maintain the capability).
Governance Plan EmbedUnderstand
Activities
Outputs
Activities
Outputs
4-6 weeks elapsed
PwC 23
People & Performance
Legal
Premises & Facilities (GF)
IT Systems (GF)
Retail, Trading & Training
Services Fund Raising ProcurementInfluencingMarketing ACEnt
Management Information & Control
Internal Comms
Health & Safety Payroll
Policy/ HR advice Expenses
LEGAL Processes Governance for Statutory BooksBroker / Ins company/Loss adjustors
liaison
SecurityPostal
ServicesSwitchboard Cleaning/Waste
Mgmt
Mtce & repairs
Finance (GF)Bank
Reconciliations
Pay Suppliers Stat. Reports Mgmt. Inform.
E-mail Raisers EdgeTelephony ServersGreat PlainsAlbany
SoftwareCRM db
Call in time
Hardship Grants
I&A L3
I&A L1/L2
Handy van
Gifted housing
Digital Incl.
Direct marketing campaigns
Events mgt
Legacy admin
Relations with trusts / major
givers
Corporate partnerships
Sourcing of goods & services
Public affairs
Media and PR
International
Cash don
DD payments
Customer queries /
complaints
Marketing material
Gift aid
Response centre service
Stock collection
Area Mgr. support
Shops ability tostill trade
Warehouse supply
Warrington dispatch
3rd Party Providers Bond Team SpiritCharityshare liaisonEldercare ACEnt providers
SummaryKey activities
Recoverday 1
Recover 1-2 days
Recover3-7 days
Recover8-14 days
Recover >15 days
Example Company
Key
Key
PwC 24
Business focus
• On too many occasions, BCM is seen simply as the recovery of facilities and IT. This is not what BCM is about: it is about keeping the business running.
• BCM has to speak to senior management so that they become engaged and set the right priorities.
• This is a heat map for key business processes – this is designed to be quickly understood within the context of a management workshop. This is an example of how PwC makes BCM assessable and relevant to the business.
Regulatory Reporting
Call centre Advice service
PartnerRelations
In-shopService
Emergency Response
Service
RevenueCollection
Primary CareService
High
Medium
Low
>2 weeks 1-2 weeks 4 days — 1 week
1-3 days <1 day
Recovery Time Objectives
* Natural controls have beentaken into consideration
Critical High Medium Low BusinessProcesses
Imp
act
How to Approach BCM
04Programmes & Governance for complex organizations
PwC 26
Fit for purpose
Support functions
Infrastructure
Products / Services
Factories HQ Distribution Sales Office ClientsSuppliersSuppliers
Clients
Partners
Organisation
PwC 27
Business Continuity Management Organisation and BCM elements
Organisational level
Corporate Division Site
Best practice
● Business continuity policy and governance model
● Crisis management framework● Risk register● Programme implementation
schedule
● Programme implementation plan
● Divisional business priorities and continuity strategy
● Supply chain resilience plan
● Business recovery plans● Incident response plans
Support functions
Infrastructure
Products / Services
Factories HQ Distribution Sales Office ClientsSuppliersSuppliers
Clients
Partners
Organisation
PwC 28
Maturing BCM – moving goalposts?
Optimised
Characteristics
BCM integrated within overall risk management approach, and is embedded within the corporate governance processes.
Ability to respond
Investment in BCM and Risk is optimised, and the organisation has sustained capability to respond to major threats.
Characteristics
Analysis has been done across the organisational silos taking into account supply and value chain dependencies and risks.
Integrated
Ability to respond
Key business priorities understood, and organisation can implement a strategic response across sites and supply chain to disruptions.
Characteristics
Business Continuity is integrated with incident and crisis management and emergency response. The BCMS in embedded in the organisation with regular exercising.
Established
Ability to respond
Response capabilities are optimised at a site level and their ability to recover operations is reasonably certain and efficient.
Characteristics
BCM policy is set, and business continuity plans developed for key sites and facilities.
Formalised
Ability to respond
Key sites and facilities can respond to major incidents and they should be able to reduce the disruption to their operations.
Characteristics
Piecemeal and ad hoc plans, usually driven by a need to comply with legislation or regulation.
Undeveloped
Ability to respond
Minimum legal / regulatory requirements are met but the ability to respond is patchy and uncertain.
PwC 29
May miss high impact low
probability events
Impacts
Business Continuity Management vs. Risk Management
Risk Management
Likelihood
Filter
Impact
Controls
Plans
Protection against threat
BC ManagementDependencies
Filter
Threats
Controls
Plans
Recovery of business
Controls
Priorities
Plans
Investment
Threats
May miss specific risk responses
PwC 30
Response
GovernanceTeam Structure and accountabilities
Crisis Management
Team
Business Recovery
Teams
Incident Management
Teams
BU Heads and
Champions
RMC / Steering Group
Risk Management
Planning and Building
Audit & Risk Committee
BU Heads
Internal Audit
Assurance
PwC 31
Planning
Response
Assurance
Business Recovery
Teams
Focused on recovering the most important business activities, and the eventual restoration of business as usual.
Crisis Management
Team
Focused on future reputation, stakeholder value and decision making
Responsible for incidents that impact a site / location. Focused on immediate staff safety, incident management, recovery and salvage, local business protection, local communication, and local decision making
Incident Management
Teams
GovernanceCrisis management and business continuity teams
PwC 32
GovernanceAccountability for Planning
Planning
Response
Assurance
BU HeadMD and
Champion
Group Functional
Heads
BU HeadMD and
Champion
BU HeadMD and
Champion
Risk Management Committee
Internal Audit
BU HeadMD and
Champion
Risk Management
PwC 33
GovernanceAssurance
Planning
Response
Assurance
IA responsible for:assurance on behalf of ARC
BU Heads responsible for assurance that adequate BCM is in place for
business unit
Audit & Risk Committee
BU LeadersFunctional
Heads
Internal Audit
Functional Heads responsible for assurance that adequate BCM
is in place for their function across BUs
ARC provides oversighton behalf of Board
An Approach – Exercising
Exercising
05
PwC 35
ApproachExercise formatThe diagram shows the wide range of exercise formats available; increasing in challenge and complexity from left to right. There are two formats of particular note;
• Facilitated Discussion; this form of exercise is highly controlled and focuses upon talking rather than doing the response. It is excellent for engaging a team for the very first time or walking-through an entirely new plan. However, it provides little challenge for a highly skilled or high-level team.
• Single-Team Simulation; in contrast this is a ‘doing’ exercise where the team need to take and make calls, discuss and make decisions rapidly and it provides a level of challenge appropriate to a senior management team. However, it requires a greater level of development and engagement to be successful and thus lead to further plan and team improvement.
Planwalk
through
Facilitated discussion
Real-time
Single-team simulation
Acceleratedphases
Real-time
Multi-team simulation
Acceleratedphases
Full-scalelive event
Compliance Capability Confidence
Time and realism
Resources
PwC 36
Monday Tuesday Wednesday Thursday Friday
4 Package 1 Delivery
5 6 7 8
TV NewsTax on US Dollarat PoE Import/export delays
Travel updatesIT securityHR requests for info
2 Staff injuredTransport delaysUKTI call invitation
Radiointerview
Package 1follow-up
11 Package 2 Delivery
12 13 14 15 Package 3 Delivery
TV NewsLimited site disruptionLocal unrestCOP leaves FAST
UKTI update callPolice presence at R-R sites
Staff detainedIncreased IT security breaches
HR – worried staff, requests for repatChina comms difficult
Margolis arrested, other staff detainedUKTI update callProduct yields down – engineer request
18 19 20 21 22
Severe IT breachRolling power cutsSites raided
Internal transport disruptionFlight schedulingSecurity warning
Staff deportationsFlights divert from HK Simulation
Delivery Walkthrough of simulation
rooms
Example: 3 week exercise
PwC 37
Example: mock websites
PwC 38
Exercise: planning
An Approach – plans
Response team and plan structure
06
PwC 40
The structure of the response to disruption
Time
Trigger
People
IT recovery
Assets and Workplace
Third Parties
PwC 41
Phases of recovery
Trigger
People
DRP
Workplacerecovery
Third Parties
• BCM plans need to be structured in line with the phases of recovery. PwC uses the model illustrated.
• Business recovery is not just about IT and workplace recovery. There are also dependencies on staff, suppliers, partners, equipment, vital documents, etc to consider, and plans to address these are needed.
Time
PwC 42
Supply resilience
Supply resilience
IT Recovery (D RP)
IT Recovery (DRP)
Workplace and critical equipm ent recovery
Workplace and critical equipment recovery
Staffing resilience
Staffing resilience
BCM plan structure
Business continuity management
Business continuity managementI n c id e n t R e s p o n s e
Incident Response
C r is is M a n a g e m e n t
Crisis Management
B u s in e s s R e c o v e r y
Business Recovery
● Safety and protection of people and property by site
● Assess, stabilize, secure, and report
● Co-ordinate external response (police, fire, ambulance)
● Communication and briefing to senior management
● Protection of reputation and business
● Decision making and direction
● Communication – external to stakeholders and media
● Communication – internal to staff
● Coordination of resources
● Recovery of key products and services.
● Work-arounds and recovery for key dependencies
● Restoration of infrastructure and functions
PwC 43
BCM response team structure
• Response teams are aligned to the plan structure
• The teams and plans need to be co-ordinated and integrated, with clear invocation and escalation procedures.
Safety and protection of people and property
Safety and protection of people and property
Assess, stabilize, secure, and escalate to senior
management
Assess, stabilize, secure, and escalate to senior
managementCoordinate external
response (police, fire, ambulance)
Coordinate external response (police, fire,
ambulance)
Incident Response Team
Incident Response Team
Protection of reputationand business
Protection of reputationand business
Decision making and direction
Decision making and direction
Communication – external to stakeholders and media
Communication – external to stakeholders and media
Communication – internal to staff
Communication – internal to staff
Coordination of resources
Coordination of resources
Crisis Management Team
Crisis Management Team
Recovery of key productsand services
Recovery of key productsand services
Work-arounds and recovery for key dependencies
Work-arounds and recovery for key dependencies
Restoration of infrastructure and functions
Restoration of infrastructure and functions
Business Recovery Team
Business Recovery Team
PwC 44
Plans designed for ease of use
Design themes:
• Easy to use and navigate
• Easy to update and maintain
• Consistent look and feel
• Designed for the specific user
• Interactive
PwC 45
New plans templates – designed for ease of use
Respond
1
React
Incident
Response Plan
Respond
1
Respond
Crisis
Management
Plan
Respond
1
Recover
Business
Recovery Plan
Respond
Incident Response
3
As a member of the Incident Response Team ‘IRT’ you have a role in coordinating the response to an incident. This manual and the checklist have been designed to guide you through an incident.
Incident Response Menu
Incident Response Team
How to use this plan
In the event of any incident you should refer to the checklist and access other important information from this manual.
ChecklistPlease find the check list in the front pocket of the manual.
Roles and ResponsibilitiesIncident response team roles and responsibilities
Site informationCritical details you need to know about your site
EscalationEscalation and Activation Guideline
Logs and RecordsRecording and logging events and actions
Key ContactsImportant internal and external contacts in the event of an incident
CommunicationGuidelines for Communication —Internal and External
AccommodationAlternative working arrangements for staff
Response StructureIncident Response Team Structure
Evacuation ProceduresProcedures for both Evacuation and Invacuation
Scenario GuidelinesInstructions for responding to specific scenarios such as Fire, Flood
Evacuation
Scenarios
Communication
Accommodation
Key Contacts
Roles
Response Structure
Escalation
Logs and Records
Incident Response
Site Information
Summary
Business Continuity is about ‘the Business’
07
PwC
Focus on the business risks...
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2010 ZAO PricewaterhouseCoopers Audit]. All rights reserved. In this document, “PwC” refers to ZAO PricewaterhouseCoopers Audit which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
Christopher GouldDirector+7 (495) 967 [email protected]
