Business Continuity Planning and Analysis
advertisement
Business Continuity Planning and Analysis: Protecting Business Value Texas PRIMA’s 20th Annual Conference November 19, 2009 FM Global Business Risk Consulting Group Overall agenda • Identify key reasons driving Business Continuity Management in today’s global economy • Context and Terminology • Reasons for developing a Business Continuity Management Program • Framework of the strategy and process for developing and writing a Business Continuity Plan BCM Framework Understand your business Strategy Keep continuity alive Design for resilience Culture Implement your continuity strategies Develop your continuity strategies Today’s business environment Corporate governance Regulatory compliance Need for transparency Executive accountability Competitive pressure Reduced time to market Info available to buyers BUSINESS Global supply chains Outsourcing ICT dependency Network interdependencies Operational efficiency High asset utilization Lean manufacturing Today’s business world • we know disruptions will occur, but we don’t know when, for how long, or the cause. • directors and ‘C-Suite’ officers must be proactive in mitigating risk. • an excellent part of being seen to be proactive, is to have a business continuity plan in place. Terminology • How would you define the terms? ERM BCM BCP MTO DRP RTO RISK A question of scope and focus… Enterprise risk management… the identification and evaluation of all relevant risks an organization faces, alignment of strategies with risk appetite, and perpetual management of exposures so that entity objectives are achievable. IMPACT Strategic Operational External Financial Business continuity management… a holistic management process that identifies potential impacts that threaten a company, provides a framework for building resilience and develops the capability for an effective response to safeguard the interests of the stakeholders, reputation, brand and value creating activities*. *Courtesy of the Business Continuity Institute *The Business Continuity Institute 2002 CRISIS COMMUNICATIONS & PUBLIC RELATIONS SECURITY EMERGENCY MANAGEMENT KNOWLEDGE MANAGEMENT HEALTH & SAFETY QUALITY MANAGEMENT SUPPLY CHAIN MANAGEMENT FACILITIES MANAGEMENT DISASTER RECOVERY RISK MANAGEMENT The BCM ‘umbrella’ BUSINESS CONTINUITY MANAGEMENT Courtesy of the Business Continuity Institute Business Continuity Plans (BCP) Understand your business BCM Strategy Keep continuity alive Design for resilience Develop your continuity strategies Culture Implement your continuity strategies An element of BCM BCP and DRP • Business continuity plan… a documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level*. • Disaster recovery plan… the management approved document that defines the resources, actions, tasks and data required to manage the recovery effort. It usually refers to the technology recovery effort and is a component of the business continuity management program*. *Courtesy of the Business Continuity Institute and DRI International Confused? ERM BCM BCP DRP MTO and RTO • Maximum tolerable outage (also maximum tolerable period of disruption)… the duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed. • Recovery time objective… the target time set for: – Resumption of product and service delivery after an incident – Resumption of performance of an activity after an incident – Recovery of an IT system or application after an incident which must support the MTO. Courtesy of the Business Continuity Institute Why Should You Have BCM? What are common reasons for implementing Business Continuity Management? The Bigger Picture • Property Damage Risks - typically considered in isolation – Replacement cost of lost physical assets – Lost value of production/service delivery • The Bigger Picture – Failed delivery ► brand damage – Cash-flow volatility ► investor confidence loss – Lost opportunities ► reduced growth potential Case Study - University of Adelaide Background • • • • • Founded in 1874 Over 20,000 students & over 2,500 staff 3 weeks into 2005 academic year, waterline breached releasing over 100K liters of water Water released into a trench directing water downward toward roof of Plaza Building which housed 3 schools, university library, data center, and central air plant for most of the campus Carried 40 tons of silt and mud into Plant Room, IT servers, classrooms and library Case Study - University of Adelaide Case Study - University of Adelaide Mitigation Information Technologies • Disaster recovery plan in place and activated • Multiple data centers 85% of IT systems back in 36 hours • Competent staff available • Good relationships with subcontractors Property Services • Developed an electrical risk plan • Upgraded the AC/Thermal plant room • Asbestos abatement program Mitigation (continued) Property Services • Move important items from exposed areas (if possible) • Raise equipment off the ground • Provide back-up generators and related equipment Agreements in place for 2 hour delivery • Protect vulnerable openings with curbing Impact Summary • 95% of classes resumed the following Monday • 95% of electrical, A/C, fire detection equipment back up by next week • Majority of ceilings, floor coverings replaced within a month • Impact to IT equipment, projects and resources can be long term Can take 4 to 6 months to get equipment recertified “Lose IT for even a month in the middle of the semester, we lose the whole semester” Benefits of BCM 1. 2. 3. 4. 5. 6. 7. 8. 9. Protects the company’s Brand and Reputation. Safeguards and enhances the company’s shareholder value Maintains standards of excellence Helps to optimize and streamline a business or organization Directs a focused IT expenditure Mitigates loss in revenues Enhances customer confidence and assurance on deliverables Demonstrates improved risk quality for insurance purposes Enhances selling-point for contract tenders In Summary…. Companies that manage risk properly and communicate the effectiveness of these efforts to stakeholders could… – gain competitive advantage – boost financial performance – enhance shareholder value – protect the value their business creates Protecting Business Value: Effective Business Continuity Planning Framework BCM Framework Understand your business Strategy Keep continuity alive Design for resilience Culture Implement your continuity strategies Develop your continuity strategies Design for Resilience • Strategy – – – – – Engage executive management Define objectives: managed resilience Establish steering committee Think resilience at design not execution Make business continuity strategic • Culture – Elevate and expand continuity awareness – Communicate the benefits widely – Embed continuity in culture: be active not reactive BCM Framework Understand your business Strategy Keep continuity alive Design for resilience Culture Implement your continuity strategies Develop your continuity strategies Design for resilience Why? In times of crisis, resources – money, people, time, materials – are scarce. Understand your business You can’t solve everything at once – you need to know where to direct these scarce resources. To know where to direct resources, you must determine which activities are critical to maintaining continuity and achieving your strategic objectives You must Understand Your Business The Business Impact Analysis Risk Analysis Business Model Analysis Financial Analysis What are the key hazards? What are the credible loss scenarios? What is the quality of risk mitigation within the business? How do products and services flow through the internal and external supply chain? How could these flows be interrupted? How much profit do these products and services generate? Where are the costs associated with their delivery to customers? Business Impact Analysis What are the key facilities and processes that drive revenues and costs, what could go wrong within these and what would be the cost to the business if it did go wrong? Risk Mitigation Opportunities How can these exposures be mitigated in order to ensure business continuity and protect shareholder value? BIA outcomes • • • • • • • • Improved protection of critical processes Changes to production/service processes Product range rationalization Dual/multiple sourcing of suppliers Increased levels of key components Continuity plans developed/refined Supplier approval process extended Recovery Time Objective (RTO) BCM Framework Understand your business Strategy Keep continuity alive Design for resilience Culture Implement your continuity strategies Develop your continuity strategies Strategy Objective Make decisions regarding business continuity strategies and identify actions required for the development of a Business Continuity Plan Strategic Objectives Remember… the overriding objectives of a BCP are: – …to reduce the time in which products are unavailable to the company’s key customers and markets – …to maintain an optimum volume of sales to these customers & markets while normal operations are being reestablished, and – …to ensure the company’s survival Purpose of Strategy • Stop the event • Make any interruption “transparent” to your clients • Have plans in place to deal with residual risk Strategies: Corporate Tips Tips to keep in mind when developing strategies: 1. Collect available documentation 2. Six key areas for consideration 3. Identify viable strategies 4. Identify resource and asset needs 5. Methodology for evaluation of strategies 6. Consolidate your strategies 7. Formalize the business unit or division strategy 8. Obtain executive commitment BCM Framework Understand your business Strategy Keep continuity alive Design for resilience Culture Implement your continuity strategies Develop your continuity strategies • Implement strategies to build resilience • Develop response, recovery, and continuity plans …the Business Continuity Plan …the Business Continuity Plan (BCP) provides a framework for decision-making by: • identifying necessary actions to be taken • assigning roles & responsibilities • establishing resources to implement the plan …that will achieve stated strategic objectives set by the board… BCM: phases of response Normal operations Service Capacity 100% Minimum operations to achieve survival Unplanned business restoration 0% Incident Response Plan Time Disaster Recovery Plan Decision to invoke BCP Business Continuity Plan Immediate and short term Short to medium term Short to long term Emergency Response Plans Account for personnel Damage containment Damage assessment Decision to invoke BCP Contact staff, customers and suppliers Recover critical business processes locally Recover work schedule Decision to invoke BCP Implement business continuity strategies for critical business processes Address customer base and market impact Implement Business Resumption Plan Business Unit Plans • Provide business function managers with a reference guide early recovery of essential services • Identify key internal and external resources • Identify mission critical processes • Key actions/decisions BCM Framework Understand your business Strategy Keep continuity alive Design for resilience Culture Implement your continuity strategies Develop your continuity strategies Why Plans Fail Do you know the number one reason why BC plans fail? Why Business Continuity Training? • Needs a series of complex, interdependent and independent tasks to be executed in a coordinated manner under stressful conditions. • All personnel need to know: – What is my role? What do I need to do? – Where should I go? • Manuals are unlikely to be read during the incident. • Situations will arise which will be alien to traditional styles of management for normal operations Why Business Continuity Training? • To evaluate current BCM competence • To identify areas for improvement • To validate assumptions • To improve confidence • To develop teamwork • To raise awareness There is no PASS/FAIL, only an accumulation of knowledge BCM: Maintenance Maintenance of your plan: • Is driven from changes in people, processes, market environment, legislation, risk and business strategy. • Ensures your plan is current, accurate, complete and exercised. • Should be performed at least annually. Summary • Exercise your plans – Design and enact plan exercises – Learn from successes and shortcomings – Revise plans accordingly • Maintain and improve – Understand changes to business model – Review and refine continuity strategies – Revise plans accordingly Brian J. Hunt, CPA, CFE, CBCP Senior Consultant FM Global 5700 Granite Parkway, Suite 700 Plano, Texas 75024 972-731-1608 Brian.hunt@fmglobal.com Linkedin: http://www.linkedin.com/in/brianjhunt BCM Framework Understand your business Strategy Keep continuity alive Design for resilience Culture Implement your continuity strategies Develop your continuity strategies Follow-up at your workplace, question…. • Do you know which product/service generates most of your profits? • Do you know its path through your business? • Who is your most critical supplier and what’s the business impact of their failure? • Are validated, updated, tested and reasonable BCPs in place across your business? • Can your business withstand a major unplanned interruption? Seven simple questions 1. What is your organization trying to achieve? 2. What products and services does it deliver to achieve this? 3. Which markets does it deliver them to? 4. What processes enable their delivery? 5. How much money do they generate? 6. What could happen to stop these processes? 7. What would happen if these processes stopped?
