Embed Size (px)
Citation preview
FM Global
Business Risk Consulting Group
Business Continuity Planning and Analysis: Protecting Business Value
Texas PRIMA’s 20th Annual ConferenceNovember 19, 2009
Overall agenda
• Identify key reasons driving Business Continuity Management in today’s global economy
• Context and Terminology
• Reasons for developing a Business Continuity Management Program
• Framework of the strategy and process for developing and writing a Business Continuity Plan
Designfor
resilience
Developyour
continuitystrategies
Keepcontinuity
alive
Implementyour continuity
strategies
Understandyour
business
Strategy
Culture
BCM Framework
Today’s business environment
BUSINESS Competitive pressure Reduced time to market Info available to buyers
Operational efficiency High asset utilization Lean manufacturing
Corporate governance
Regulatory compliance
Need for transparency
Executive accountability
Global supply chains
Outsourcing
ICT dependency
Network interdependencies
Today’s business world
• we know disruptions will occur, but we don’t know when, for how long, or the cause.
• directors and ‘C-Suite’ officers must be proactive in mitigating risk.
• an excellent part of being seen to be proactive, is to have a business continuity plan in place.
We can’t ELIM
INATE
risk, b
ut we can at le
ast
MANAGE the im
pact!
Terminology
• How would you define the terms?
ERM BCM BCP DRP
RTOMTO
A question of scope and focus…
Strategic Operational External Financial
Enterprise risk management… the identification and evaluation of all relevant risks an organization faces, alignment of strategies with risk appetite, and perpetual management of exposures so that entity objectives are achievable.
RISK
Business continuity management… a holistic management process that identifies potential impacts that threaten a company, provides a framework for building resilience and develops the capability for an effective response to safe-guard the interests of the stakeholders, reputation, brand and value creating activities*.IMPACT
*Courtesy of the Business Continuity Institute
SU
PP
LY
CH
AIN
MA
NA
GE
ME
NT
QU
AL
ITY
MA
NA
GE
ME
NT
RIS
K M
AN
AG
EM
EN
T
DIS
AS
TE
R R
EC
OV
ER
Y
FA
CIL
ITIE
S M
AN
AG
EM
EN
T
*The Business Continuity Institute 2002
SE
CU
RIT
Y
CR
ISIS
CO
MM
UN
ICA
TIO
NS
&
PU
BL
IC R
EL
AT
ION
S
HE
AL
TH
& S
AF
ET
Y
KN
OW
LE
DG
E M
AN
AG
EM
EN
T
EM
ER
GE
NC
Y M
AN
AG
EM
EN
T
The BCM ‘umbrella’
Courtesy of the Business Continuity Institute
BUSINESS CONTINUITY MANAGEMENT
Designfor
resilience
Developyour
continuitystrategies
Keepcontinuity
alive
Implementyour continuity
strategies
Understandyour
business
Strategy
Culture
Business Continuity Plans (BCP)
An element of BCM
BCM
BCP and DRP
• Business continuity plan… a documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable pre-defined level*.
• Disaster recovery plan… the management approved document that defines the resources, actions, tasks and data required to manage the recovery effort. It usually refers to the technology recovery effort and is a component of the business continuity management program*.
*Courtesy of the Business Continuity Institute and DRI International
Confused?
ERM
BCM
DRP
BCP
MTO and RTO
• Maximum tolerable outage (also maximum tolerable period of disruption)… the duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed.
• Recovery time objective… the target time set for:– Resumption of product and service delivery after an incident
– Resumption of performance of an activity after an incident
– Recovery of an IT system or application after an incident
which must support the MTO.
Courtesy of the Business Continuity Institute
Why Should You Have BCM?
What are common reasons for implementing Business Continuity Management?
• Property Damage Risks - typically considered in
isolation
– Replacement cost of lost physical assets
– Lost value of production/service delivery
• The Bigger Picture
– Failed delivery ► brand damage
– Cash-flow volatility ► investor confidence loss
– Lost opportunities ► reduced growth potential
The Bigger Picture
Case Study - University of Adelaide
Background
• Founded in 1874• Over 20,000 students & over 2,500 staff• 3 weeks into 2005 academic year, waterline
breached releasing over 100K liters of water• Water released into a trench directing water
downward toward roof of Plaza Building which housed 3 schools, university library, data center, and central air plant for most of the campus
• Carried 40 tons of silt and mud into Plant Room, IT servers, classrooms and library
Case Study - University of Adelaide
Case Study - University of Adelaide
Mitigation
Information Technologies• Disaster recovery plan in place and activated• Multiple data centers
85% of IT systems back in 36 hours• Competent staff available• Good relationships with subcontractorsProperty Services• Developed an electrical risk plan• Upgraded the AC/Thermal plant room• Asbestos abatement program
Mitigation (continued)
Property Services• Move important items from exposed areas
(if possible)• Raise equipment off the ground• Provide back-up generators and related
equipment Agreements in place for 2 hour delivery
• Protect vulnerable openings with curbing
Impact Summary
• 95% of classes resumed the following Monday• 95% of electrical, A/C, fire detection equipment
back up by next week• Majority of ceilings, floor coverings replaced
within a month• Impact to IT equipment, projects and resources
can be long term Can take 4 to 6 months to get equipment recertified “Lose IT for even a month in the middle of the
semester, we lose the whole semester”
Benefits of BCM
1. Protects the company’s Brand and Reputation. 2. Safeguards and enhances the company’s shareholder value3. Maintains standards of excellence 4. Helps to optimize and streamline a business or organization5. Directs a focused IT expenditure 6. Mitigates loss in revenues7. Enhances customer confidence and assurance on deliverables8. Demonstrates improved risk quality for insurance purposes9. Enhances selling-point for contract tenders
Companies that manage risk properly and communicate the effectiveness of these efforts to stakeholders could…
– gain competitive advantage– boost financial performance – enhance shareholder value– protect the value their business creates
In Summary….
Protecting Business Value:
Effective Business Continuity Planning
Framework
Designfor
resilience
Developyour
continuitystrategies
Keepcontinuity
alive
Implementyour continuity
strategies
Understandyour
business
Strategy
Culture
BCM Framework
• Strategy– Engage executive management– Define objectives: managed resilience– Establish steering committee– Think resilience at design not execution– Make business continuity strategic
• Culture– Elevate and expand continuity awareness– Communicate the benefits widely– Embed continuity in culture: be active not reactive
Design for Resilience
Designfor
resilience
Developyour
continuitystrategies
Keepcontinuity
alive
Implementyour continuity
strategies
Understandyour
business
Strategy
Culture
BCM Framework
Why?In times of crisis, resources – money, people, time, materials – are scarce.
You can’t solve everything at once – you need to know where to direct these scarce resources.
To know where to direct resources, you must determine which activities are critical to maintaining continuity and achieving your strategic objectives
You must Understand Your Business
Design for resilience
Understandyour
business
The Business Impact Analysis
What are the key hazards? What are the credible loss scenarios? What is the quality of risk mitigation within the business?
RiskAnalysis
How much profit do these products and services generate? Where are the costs associated with their delivery to customers?
Financial Analysis
Business Impact AnalysisWhat are the key facilities and processes that drive revenues and costs, what could go wrong within these and what would be the cost to the business if it did go wrong?
How can these exposures be mitigated in order to ensure business continuity and protect shareholder value?
Risk Mitigation Opportunities
How do products and services flow through the internal and external supply chain? How could these flows be interrupted?
Business Model Analysis
BIA outcomes
• Improved protection of critical processes• Changes to production/service processes• Product range rationalization• Dual/multiple sourcing of suppliers• Increased levels of key components• Continuity plans developed/refined• Supplier approval process extended• Recovery Time Objective (RTO)
Designfor
resilience
Developyour
continuitystrategies
Keepcontinuity
alive
Implementyour continuity
strategies
Understandyour
business
Strategy
Culture
BCM Framework
Strategy Objective
Make decisions regarding business continuity strategies and identify actions required for the development of a Business Continuity Plan
Strategic Objectives
Remember… the overriding objectives of a BCP are:
– …to reduce the time in which products are unavailable to the company’s key customers and markets
– …to maintain an optimum volume of sales to these customers & markets while normal operations are being re-established, and
– …to ensure the company’s survival
Purpose of Strategy
• Stop the event
• Make any interruption “transparent” to your clients
• Have plans in place to deal with residual risk
Strategies: Corporate TipsTips to keep in mind when developing strategies:
1. Collect available documentation
2. Six key areas for consideration
3. Identify viable strategies
4. Identify resource and asset needs
5. Methodology for evaluation of strategies
6. Consolidate your strategies
7. Formalize the business unit or division strategy
8. Obtain executive commitment
Designfor
resilience
Developyour
continuitystrategies
Keepcontinuity
alive
Implementyour continuity
strategies
Understandyour
business
Strategy
Culture
BCM Framework
• Implement strategies to build resilience• Develop response, recovery, and continuity plans
…the Business Continuity Plan
…the Business Continuity Plan (BCP) provides a framework for decision-making by:
• identifying necessary actions to be taken • assigning roles & responsibilities• establishing resources to implement the plan
…that will achieve stated strategic objectives set by the board…
Minimum operations to achieve survival
Normal operations
BCM: phases of response
Time
Ser
vice
C
apac
ity
100%
0%
Incident Response Plan
Immediate and short termEmergency Response PlansAccount for personnelDamage containmentDamage assessmentDecision to invoke BCP
Disaster Recovery Plan
Short to medium termContact staff, customers and suppliersRecover critical business processes locallyRecover work scheduleDecision to invoke BCP
Business Continuity Plan
Short to long termImplement business continuity strategies for critical business processesAddress customer base and market impactImplement Business Resumption Plan
Unplanned business restoration
Decision to invoke BCP
Business Unit Plans
• Provide business function managers with a reference guide early recovery of essential services
• Identify key internal and external resources
• Identify mission critical processes
• Key actions/decisions
Designfor
resilience
Developyour
continuitystrategies
Keepcontinuity
alive
Implementyour continuity
strategies
Understandyour
business
Strategy
Culture
BCM Framework
Why Plans Fail
Do you know the number one reason why BC plans fail?
Why Business Continuity Training?
• Needs a series of complex, interdependent and independent tasks to be executed in a coordinated manner under stressful conditions.
• All personnel need to know:
– What is my role? What do I need to do?
– Where should I go?
• Manuals are unlikely to be read during the incident.
• Situations will arise which will be alien to traditional styles of management for normal operations
• To evaluate current BCM competence
• To identify areas for improvement
• To validate assumptions
• To improve confidence
• To develop teamwork
• To raise awareness
There is no PASS/FAIL, only an accumulation of knowledge
Why Business Continuity Training?
BCM: Maintenance
• Is driven from changes in people, processes, market environment, legislation, risk and business strategy.
• Ensures your plan is current, accurate, complete and exercised.
• Should be performed at least annually.
Maintenance of your plan:
Summary
• Exercise your plans– Design and enact plan exercises– Learn from successes and shortcomings– Revise plans accordingly
• Maintain and improve– Understand changes to business model– Review and refine continuity strategies– Revise plans accordingly
Brian J. Hunt, CPA, CFE, CBCP Senior Consultant FM Global 5700 Granite Parkway, Suite 700 Plano, Texas 75024 972-731-1608 [email protected]: http://www.linkedin.com/in/brianjhunt
Brian J. Hunt, CPA, CFE, CBCP Senior Consultant FM Global 5700 Granite Parkway, Suite 700 Plano, Texas 75024 972-731-1608 [email protected]: http://www.linkedin.com/in/brianjhunt
Protecting the
value business
creates!
Designfor
resilience
Developyour
continuitystrategies
Keepcontinuity
alive
Implementyour continuity
strategies
Understandyour
business
Strategy
Culture
BCM Framework
Follow-up at your workplace, question….
• Do you know which product/service generates most of your profits?
• Do you know its path through your business?
• Who is your most critical supplier and what’s the business impact of their failure?
• Are validated, updated, tested and reasonable BCPs in place across your business?
• Can your business withstand a major unplanned interruption?
Seven simple questions
1. What is your organization trying to achieve?
2. What products and services does it deliver to achieve this?
3. Which markets does it deliver them to?
4. What processes enable their delivery?
5. How much money do they generate?
6. What could happen to stop these processes?
7. What would happen if these processes stopped?
