Upload
trinhthien
View
217
Download
2
Embed Size (px)
Citation preview
www.pwc.com
Business Resiliency
Business Continuity Management -
January 14, 2014
PwC
Agenda
• Key Definitions
• Risks
• Business Continuity Management Program
• BCM Capability Assessment Process
• BCM Value Proposition
• Q&A
2
PwC
Key Definitions: The Concept of BCM
• The capability of resuming operations after a significant unplanned event.
• Preparedness and exercise / practice are the keys to success
• Business Function Resource prioritization (dependencies analysis) based onimpacts to:
o Technology: data center contents destruction, software malfunction, technologyprovider outage
o Facilities: earthquake, fire, flood, wind damage, municipal utilities outage, terrorism,political strife
o People: pandemic, political strife, terrorism threat, labor action, impact from natural /man-made event
o Key Third Parties: technology, financial, personnel, transportation and maintenanceservice provider outage
• Aligned to Enterprise-wide Risk Management and overall business strategies.
3
PwC
Key Definitions: BCM Elements
Business Continuity ManagementProcess of identifying, preventing, preparing and responding for events thatmay disrupt business activities.
Crisis ManagementCommand and control over the response to make criticaldecision and drive communications both internal and external
BusinessContinuityContinuity ofcritical businessfunctions at anacceptable levelduring anincident.
DisasterRecoveryRestoration ofbusiness servicesand systems (ITand Data) duringan incident.
EmergencyResponseImmediate firstresponseactivities toprotect lives andlimit damage.
ContingencyPlanAll hazard plansfor specificresponse tocatastrophicevents.
4
PwC
Risks: Why is BCM Relevant Today
• Stakeholder and Board concerns about the level of preparedness
• Concentration of critical functions in fewer locations
• Negative brand and reputational impact
• Investors want to feel confident
• Reduced workforces / ‘optimization’
• Limited capital availability
5
Crisis
Consolidationand
Globalization
TechnologyAdvancement
ReputationalConcerns
Regulatory andIndustry
Standards
BusinessRequirements
BCM Drivers• Thinly populated and high-velocity supplychains and inventories
• Increase in frequency and severity of manmade and natural disasters
• High reliance on enterprise systems (24/7)
• Mergers, acquisitions and divestitures
• Disconnect between IT recovery capabilities & business unittechnology availability requirements.
• Regulatory and rating agency pressures
PwC
Risks: BCM Deployment
• Traditionally focused on emergency response for workforce management, supplychain disruptions and transportation incidents, as well as IT disaster recovery.Elements of external crisis communication are also found.
• Interruption risks that impact corporate functions are infrequently covered.
• If a recent (less then 3yrs) ‘Business Impact Analysis’ and ‘interruption RiskAssessment’ have not been performed, management likely has a low awareness ofhow function interruptions will impact the enterprise.
• Functions potentially needing more rapid recovery and interim interruptionoperational procedures include:
• Corporate and Business Unit Management functions
• Cash management / Payables, Payroll
• Transportation and Logistics Management
• Human Resources
• Vendor management
6
PwC
BCM Program: Characteristics of a BCM Program
7
Assessment and
OwnershipPlanning and
Deployment
Training and
Awareness
Exercise /
Testing
Business Continuity Management
• Critical Asset Inventory
• Enterprise Risks/Impacts
• Program Guide
• Steering Committee
• Integrated plans (ERP,BCP, DR and CMP)
• Tools for plan enablement
• Enhanced for specific events
• Easy to use and update
• Progressive exercise(crawl, walk, run)
• Frequency leveraged intoexisting lifecycle events
• Report results (Sr Leaders)
• Formalized TrainingEasy/Simple (annual updateand renewal)
• Frequent Awareness sessions
• Embedded BCM culture
PwC
BCM Program: BCM methodology
MaintainDevelopmentStrategizeAnalyzeInitiate
Staircase Methodology is a five-tiered approach to business continuitymanagement that is supported by numerous tools allowing a set of servicesrelevant to successful programs.
Recovery strategydevelopment
Project planning &kick off
Risk Assessment &Business ImpactAnalysis
Implementation &maintenance
Plan & recoverycapabilitydevelopment
People
Crisis Management
Process
Business Continuity
Technology
Disaster Recovery
Strategic Command andControl: Develop a unifiedcommand and controlmechanisms for eventidentification, evaluation,escalation, declaration, planactivation and deactivation.
Keeping the business running:Develop recovery strategies andcontinuity plans for criticalbusiness functions required tosustain an acceptable level ofoperation during a significantbusiness interruption.
Keeping the technologyoperational: Identify theresiliency strategies for therequired essential informationtechnology infrastructure,hardware software and dataduring crisis.
8
PwC
BCM Program: Understand the Business
9
Initiate
• Develop program governance
• Establish planning assumptions
• Establish steering committee and program team
• Develop program plan
• Plan tools and approach to meet the organizational culture and requirements
Project planning
• Review the organization’s strategic plans
• Existing documentation reviews (policy, procedures, controls, org)
• Questionnaire and Surveys
• Interviews and Workshops (Gather data and train)
Discovery
PwC
BCM Program: Risk and Business Impact AnalysisThis is the key core component of the BCM process!...Quantify Risks and Impacts
10
Surveys, one-on-one
meetings,
facilitatedsessions,executive
managementvalidation
What is theBusinessimpact?
100 percent of processes– “Useful Many”
20 percent of processes– “Critical Few”
Critical functions
Identification of supportingtechnology services, vitalrecords, facilities, personnelrequirements, internalinterdependencies and criticalthird-parties.
Business functions,assets and systems
Analyze
PwC
BCM Program: Determine Recovery Solutions
11
Strategize
• Identity recovery capability gaps
• Integrate and finalize recovery requirements
• Recommend risk mitigation measures
• Review and assess current strategies
• Identify and price recovery strategy alternatives
• Evaluate recovery vendors if needed
• Quantify critical resources by function and develop recovery time line
• Quantify and qualify appropriate recovery options
• Management checkpoint – review options and select recovery strategy
• Develop implementation procedures for selected strategy
Recovery strategy development
PwC
BCM Program: Design and Build the Program andPlans
12
Development
• Establish planning assumptions
• Determine plan tools and approach to meet the organization’s requirements
• Document plans and procedures for organization or individual business processes
• Develop emergency action and crisis management procedures
• Develop recovery and communications plans (IT and Business)
• Develop migration procedures (IT and Business)
• Develop operational procedures (IT and Business)
• Document recovery team procedures (IT and Business)
• Identify assessment and change triggers
• Develop recovery plan testing strategy
• Develop training strategy, procedures and plan
• Management checkpoint
Plan and Recovery Capability Development
PwC
BCM Program: Operate and sustain the BCMProgram
13
Maintain
• Facilitate implementation
• Embed and Integrate BCM into end-to-end program management
• Develop and conduct testing, training, and maintenance processes and tools
• Conduct simulations and plan enactment
• Revise and validate BCPs/DRPs/CMPs
• Develop maintenance processes to support plans and capabilities
• Periodic program assessment, benchmarking and maturity ranking
Implementation and Exercise Testing
•Buildingunderstanding
•Confirm strategyand plancomponents
Table Top
•Test that strategycomponents andplan elements workindividually
Component •Practice real-timeresponses
•Test actualstrategies
•Build confidence
Simulation
PwC
BCM Capability Assessment Process
• BC program policiesand standardsdocumented
• Detailed businessimpacts and risks ,quantified
• Fully documented plansup-to-date withdependencies (internaland external)
• Detailed plans forfailover and failback ofall critical systems aredeveloped
• Employees aware ofprogram and involvedin drills to successfullydemonstrate recoverywithin stated RTOs
• Pre-definedmaintenance triggers inplace and followed forautomatic plan updates
• Formal test schedule
• No designated sponsor
• No risk assessment /BIA
• RTOs not beenidentified
• Business recoverystrategies notdocumented
• No maintenance ortesting,
• Steering committeeexists
• Risk assessment / BIA
• Application RTOsdefined
• Limited documentation
• Limited BCM vs ITneeds and capabilities
• Limited programtesting
• Training procedures inplace and documented
• Program sponsorship
• Assessments
• Business RTO andApplication RTAoptimized
• Framework forrecovery & restorationestablished
• Critical dependencies
• Documentation not bevalidated for all plans(EAP, CMP, BCP)
• Testing occurs withcommunications toolsto be used duringrecovery
• Objective programreview occursperiodically
• A culture of businessresiliency exists and isembedded in the day-to-day operations.
• Importance of BC isapplied to externalparties
• Robust testingperformed throughoutthe year includingtests with key vendorsand ad-hoc/surprisetests
• Change management,risk management,SDLC and trainingprograms have BCMcompliance gates
• System is in place tomaintain employeecompetency forperforming recoveryresponsibilities
• Senior managementreviews the programat pre-determinedintervals againstdefined metrics
Level 1
Level 2
Level 3
Level 4
Level 5
RiskAssessment
BusinessImpact
Analysis
Policy &Governance
Business &Technology
RecoveryStrategies
PlanDevelopment,
Documentation&
Implementation
Testing
Sustainability /Maintenance
Training &Awareness
Review
Our operational preparedness reviewsbenchmark against BCM leading practices
14
PwC
BCM Value Proposition
Reduces the impact of business interruptions through careful advanceplanning on key services and processes through the identification of“mission critical” business processes and supporting resources (cost-effective and practical).
Ensures rapid availability of management decision-making capabilitiesand communication.
Balances recovery strategy options between real estate costs and physicaldiversity protection - cost-benefit balance addresses competing technicaland business priorities (objective approach).
Reduces risk of potential loss of customers, brand reputation, revenueand assets.
Potentially enhanced risk profile with insurance carriers, affecting:Property, BI, CBI, Extra Expense, D&O, E&O coverage/premiums.
Reduced risk and improvement of recovery times.
15