DOP Template 08655 - Heart of America Chapter

Zero Disruptions Workshop
Strategies and Solutions for Maintaining Business
Continuity
Calvin (Cal) Beyer
5th Annual PDC
April 18, 2013
Your Presenter: Cal Beyer
•
•
•
•
•
•
•
•
25 years of insurance industry experience
Multi-industry risk management thought leader
Former National Officer of Construction Financial Management Association
Author/co-author of articles on emergency management, critical incident
response, reputation risk and business continuity
Co-author of CFMA Business Continuity “Lessons Learned” resource
Co-developer of CFMA Emergency Management continuing education course
– Co-presented CFMA’s EMP course annually since 2007 at Annual
Conference
– 30 presentations (2006-2010) for 2,400+ financial and operational
professionals
Keynote speaker at Rockwell Automation’s 2012 Safety Automation Forum
Co-presenting at 2013 ASSE Professional development Conference in Las Vegas
Risk Leadership
Source: Artwork by Jen Olney
(@GingerConsult & #Bealeader)
Discussion Topics
Strategic Risk Management & Resiliency
Disruptions and Vulnerabilities
Emergency Management &
Business Continuity Fundamentals
Insurance and Risk Management
Strategies & Resources
Icebreaker
• How many different industries and segment are represented in today’s
session? Examples:
– Manufacturing (automobile, food, machinery, pharma, etc.)
– Construction (Heavy/Highway, GC/CM, specialty trade)
• What are the functional responsibilities of today’s attendees?
• How effective is your company’s Emergency Plan?
– Formal (written procedures)?
– Current (last revised?)
– Basic or Comprehensive?
– On the shelf or tested in practice?
Disaster Response to Zero Disruptions
4 distinct phases of training sessions:
1. Disaster response
2.
Emergency planning and preparedness
3.
Crisis management and reputation risk
4.
Zero Disruptions
Leadership Lessons from Nashville Flood
Colin Reed; Chairman & CEO, Ryman Hospitality Properties
(Formerly Gaylord Entertainment)
•
The time for creating an emergency plan is not during the
emergency
– Prepare an emergency manual that outlines the potential
"events" and "responses."
•
Build the "right" culture of leaders, management and employees
•
Communication has to be direct and honest during an emergency
•
“We are a better company because of what we went through."
Source: DeVries, M.J. (2010 August 16). Best Practices Construction Law.
http://www.bestpracticesconstructionlaw.com/2010/08/articles/leadership/colin-reed-leadership-lessons-fromnashvilles-flood-recovery/
It Could Happen Tomorrow: Reality TV?
•
The Weather Channel (www.weather.com)
•
“… unbelievable yet possible acts of nature which could spell disaster
for cities across America”
•
Hurricane Katrina “predicted” before it hit New Orleans
– Pilot episode completed in April 2005 on hypothetical category 5
hurricane striking New Orleans… but did not air until June 2006
– Substituted with hurricane striking NYC thereby “predicting” 2012
Super Storm Sandy
8
Key Risk Management Principles
•
Risk management processes
Decision making
– Business improvement
–
•
•
•
Tangible and intangible assets are “at risk”
“Frequency breeds severity”
“Prevention is better than mitigation”
–
•
Mitigation is better than litigation
Indirect (uninsured) costs are a multiplier on direct
(insured) costs
Integrated Risk Management Model: PQRS
Levers for Profitability
Productivity
Quality
Risk
Safety
7 Types of Business Risk
Source: Copyright 2010. Construction Financial Management
Association. Emergency Management Planning continuing
education course. All rights reserved. Used with permission.
11
Risk Management: Simple Definition
“The preservation of an organization’s
human and financial resources”.
Preservation = Conservative Approach
Strategic Risk Management: Definition
“The preservation and leveraging of an
organization’s human, financial and strategic assets.”
Leveraging to Seize Strategic Opportunities Based on Risk to Reward Ratio
Zero Disruptions: Integrated
Framework
Crisis
Communication
Business
Continuity
Emergency
Management Planning
& Disruption
Prevention
Enterprise
Risk Planning
Source: Copyright 2010. Construction Financial Management Association. Emergency
Management Planning continuing education course. All rights reserved. Used with permission
Zero Disruptions: Interrelated Disciplines
Business Continuity
Emergency Planning
Zero
Disruptions
Supply Chain Resilience
Crisis Communications
Exercise #1: Real Disruption Events
Individually brainstorm the following question:
What types of events can disrupt
ordinary business operations?
Examples of Business Disruptions
Earthquake
Fatality accident
Loss of key personnel
Fire
Power outage
Labor strike
Flood
IT system crash
Vandalism
Tornado/Hurricane
Workplace violence
Blizzard/Ice storm
Equipment theft
Chemical/HazMat spill
Dam/Levee break
Hacker/virus
Supplier insolvency
Breach of privacy data
Terrorism
Structure collapse
Demonstrations
or riots
Source: Copyright 2010. Construction Financial Management Association. Emergency Management
Planning continuing education course. All rights reserved. Used with permission
Real Examples of Business Disruptions
• 45 attendees at 2011 CFMA Conference generated 36 real life
disruptions that interrupted corporate operations or project
activities
• 6 general grouping of disruptions:
1. Natural Disaster or Fortuitous Risk
2. Utility Outage
3. IT/Computer Problem
4. Supply Chain Interruption
5. Operational Risk
6. Financial Problem
Natural Catastrophes vs. Man-Made
(Technological) Disasters
Natural Catastrophes
Floods, storms, hurricanes, tornadoes
Earthquakes and landslides
Drought, fire, heat
Ice storms
Man-made Disasters
Major fires or explosions
Utility emergencies
IT & telecom failures & Cyber-security breaches
Aviation, shipping and rail disasters
Collapse of dams, buildings, bridges
Pollution and hazardous materials spills
Crime, war and terrorism
Pandemic flu
Tendency to Over-Emphasize Nat Cats; Increased Vulnerability to Man-Made Disasters
Characteristics of Disruptions
Type: Natural events vs. man-made (technological)
Probability: Likely vs. unlikely
Foreseeability: Expected vs. unexpected
Frequency: Recurring vs. random
Scope: Emergency vs. disaster
Scale: Isolated vs. widespread
Severity: Minor vs. major
Exercise #2: Adverse Consequences
Individually brainstorm the following question and be
prepared to share examples with the group:
What are the possible types of adverse
consequences or outcomes of not having an
effective emergency management plan?
Adverse Consequences of Disruptions
Personal injuries
• Fatalities
• Service interruption
• Broken supply chain
• Cash flow crisis
• Financial default
• Bankruptcy
•
Breach of contract
• Loss of reputation and
goodwill
• Relocation of business
• Absenteeism and attrition
• Labor shortage
•
Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning
continuing education course. All rights reserved. Used with permission
Reality Check: Austere Consequences
•
What is the cost of “down day”?
– “Down week”
– “Down month”
•
Temporarily relocated business?
•
Permanently shuttered business?
Typical Recovery Time Objective: Resumption of Normal Business Activities Within 24 Hours
Exercise #3: Benefits & Positive
Outcomes
Individually brainstorm the following question and be
prepared to share examples with the group:
What are the possible benefits and positive
outcomes of having an effective
emergency management plan?
Benefits of Emergency Management Plans
 Reduce business disruption
 Protect human, physical and financial assets
 Maintain sustainable cash flow
 Preserve customer base
 Continue supply of services/products
 Maintain reputation and public confidence
 Preserve investor / creditor confidence
 Mitigate legal liability
 Maximize insurance recovery and reduce
insurance costs, etc.
Elements of Emergency Plans
 Purpose and policy
statement
 Authority and
responsibilities
 Types of emergencies
 Vulnerability assessment
 Emergency operations
center and procedures
 Business continuity




protocols
Crisis management and
communication protocols
Site maps
Evacuation procedures
Resource lists
 Internal
 External
Vulnerability Assessment
•
Need for vulnerability assessment to determine priorities for
planning
•
Over-emphasis on natural disasters
•
Under-emphasis on man-made or technological threats
– I.T./business continuity and utility outages
– Supply chain: Contingent risks and interdependencies
Example Risk Matrix
• Probability vs. Severity (Likelihood vs. Impact)
Source: www.fdicoig.gov (2005).
Strategic “Blind Spot”
Incomplete
Information
Lack of
Prior
Experience
Strategic
“Blind Spot”
Undetected Early
Warning Signals
Source: Copyright 2010. Construction Financial Management Association. Emergency Management
Planning continuing education course. All rights reserved. Used with permission
Exercise #4: Your Company’s Vulnerabilities
Individually brainstorm the following question and be prepared
to share examples with the group:
1. What are the top 3-5 vulnerabilities your company faces?
2. Rank them on probability (high-medium-low) and on impact
(catastrophic-critical-marginal).
3. How well prepared is your company today to addressing these
top areas of vulnerability to disruption?
Crisis Risk Management & Corporate Reputation
Beyer, C.E. (Jan-Feb 2010). The
impact of crisis risk management on
corporate reputation. Building
Profits. Construction Financial
Management Association.
Risk and Reputation
• Becoming or remaining an employer of choice
– Experiencing less voluntary employee attrition
• Retaining existing customers & attracting new customers
• Expanding market share
• Enhancing the ability to forge strategic partnerships and alliances
• Differentiating from competitors
– Charging premium prices or gaining market share
Key Challenge: Creating a Sustainable Competitive Advantage
Strategic Risk Management
1. Strategic risks emanate from tangible and intangible assets
–
Brand, market position and competitive advantage
2. Shift from reactive disruption recovery to proactive disruption
prevention
Examples of Strategic Risks
Company image and corporate reputation
Key relationships, including partnerships and
strategic alliances
Availability of capital and credit
Patents and other Intellectual Property
Adoption of technology and other innovations
Emerging substitute products and services
Economies of scope and scale
Changing political and regulatory climate
Mergers and acquisitions and new
competitors/suppliers
Contraction, divestiture or bankruptcy of
existing competitors or suppliers
Shifting customer preferences
Opportunity to Leverage Safety as C-Suite Concern
Key Learning: Attitude of
Invincibility
Attitude of invincibility prevails
•
–
•
Less than 20% of workshop attendees acknowledge having a written
or formal program
Invincibility stems from:
Comfort Zone = Complacency
Priority of today’s business demands
Randomness and bad luck of events
Overwhelming process
It can’t be that bad
Lighting doesn’t strike twice
Emergency Management Process
PLANNING
PREPAREDNESS
PREVENTION
Pre-Crisis Activities
RESPONSE
REMEDIATION
RECOVERY
Post-Crisis Activities
Source: Copyright 2010. Construction Financial Management Association. Emergency Management
Planning continuing education course. All rights reserved. Used with permission
Emergency Management Planning
Fundamentals
1.
Does your company have a formal, written
emergency plan?
2.
Has this plan been disseminated and
posted throughout the company?
3.
Have all employees been trained on the
plan?
4.
When was the last formal update
completed for your plan?
5.
Has your company conducted tests or
drills on this plan?
Source: Copyright 2010. Construction Financial Management Association. Emergency Management
Planning continuing education course. All rights reserved. Used with permission
Needs Assessment -- Does Your Plan
Include:
1. Vulnerability assessment?
2. Probability Analysis?
3. Business continuity plan for
data recovery?
4. Emergency operations
procedures?
5. “Go boxes/kits” of key
records/data?
6. Evacuation procedures and
drills?
7. Centralized meeting place(s)?
8. Critical Incident Response
protocol
9. Internal resource lists (e.g.,
telephone trees)?
10. External resource contact lists?
11. Crisis media management plan
with designated spokesperson?
12. Communication systems
protocols for customers,
suppliers, employees, business
partners and stakeholders?
Insurance & Risk Management
Review
1.
Solicit professional assessment of your company’s
insurance and contractual risk
–
–
–
–
–
–
Determine what is insured and what is not insured
Ensure submission has current valuation for buildings and equipment
Understand contractual obligations
Evaluate adequacy of coverages and policy limits
Understand basis of recovery: Replacement Cost vs. Actual Cash Value
Run various scenarios for potential impacts on business income and
extra expense
• Evaluate need for Business Interruption (BI), Contingent BI and
extra expense -- and understand waiting period(s)
Insurance/Risk Mgt Review (con’t.)
2.
Undertake comprehensive risk assessment evaluation
–
–
Assess vulnerabilities and interdependences
Institute corrective actions and plan future improvements
3. Evaluate need for tighter contractual controls
–
–
–
–
Add insurance requirements and indemnification language
Legal and risk management review of “critical clauses”
Add subcontractors’ emergency preparedness to pre-qual criteria
Ensure contractual risk transfer execution and documentation
exists at project level
•
Do not allow work to start without executed contracts
Business Continuity Planning
•
•
•
•
•
•
•
Design
Security (controls and enforcement)
Redundancy
Backup (offsite storage, archiving, and retrieval)
Backup of operating system, too!
Testing
Auditing
“Achilles Heel”: IT & Cyber-Risk
“Known-unknowns” or “unknown-unknowns” vulnerability
• Privacy data breach: financial and reputation risk
• Malware, hacking, viruses
• Theft of laptops, hand-held devices & retrievable storage
devices
•
Risk Horizon Scan: Top 5 Threats (2012)
•
As ranked by extremely concerned and concerned respondents
1.
2.
3.
4.
Unplanned IT and telecom outages (74%)
Data breach -- loss or theft of confidential information (68%)
Cyber attack -- malware, denial of service(65%)
Adverse weather -- windstorm/tornado, flooding, snow, drought
(59%)
5. Interruption to utility supply -- water, gas, electricity, waste
disposal (56%)
Source: Horizon Scan 2012 Survey, Business Continuity Institute
42
Business Continuity Institute
• 4th Annual Supply Chain Resilience Survey
– Download available with registration @ www.TheBCI.org
• 530 respondents in 65 countries
• “origins, causes and consequences of supply chain disruptions…”
• Increasing frequency, severity, disruption, consequences and costs
• 73% of respondents had at least 1 disruption (ave = 5)
• 39% below Tier 1
• Top 3:
– IT/telecom (52%
– Weather/Nat Cat (48%)
– Sourcing provider failure (35%)
Leading Sources/Causes of Data
Breaches
• 95% of breaches stem from 3 sources:
1. Loss or theft – 44%
2. Hacker – 32% (75% of exposed records)
3. Rogue employee – 19%
Source: “Cyber liability and data breach insurance claims”; NetDiligence, June 2011
44
Costs of Data Breaches (Direct and
Indirect)
•
•
•
•
•
•
•
•
•
•
Required notification/communication
Hosting call center for customer inquiries and support
Credit monitoring services
Crisis management services (legal and public relations)
Forensic investigation
Business interruption (loss of income, cost to recreate lost data, extra
expenses)
Regulatory fines
Restitution
Legal liability
Reputation
45
Statistics on Cyber Security
• $60 billion global cyber security spending1
• 10% growth over the next 3-5 years1
•
$10.2 billion in cyber security deals for first half of 20111
•
$75.63 billion spent by US companies on IT security2
1. The 2012 Global State of Information Security Survey®, a worldwide survey by CIO Magazine, CSO Magazine
and PwC.” .
2. Ponemon Institute, http://www.thefiscaltimes.com/Articles/2011/09/
46
IT and Business Continuity Risk Management
• Train employees on safeguarding data, hardware and portable
device security
• Audit clean desk policy and data security protocols
• Review vendor contracts to understand mutual contractual
obligations for confidentiality/non-disclosure and risk transfer
• Request business continuity plan from critical business
partners
• Deploy data encryption
• Develop incident response planning
• Configure networks using multiple firewalls
• Update anti-virus software regularly
47
IT and Business Continuity (con't.)
• Employ anti-virus software on all hardware and portable
devices
• Scans incoming email attachments for virus
• Back-up network data and configuration files daily
• Test business continuity disaster plan, including data recovery
protocols using archives from offsite data centers
• Install and test upgrades and security patches within 24 hours
of notification
• Conduct scenario exercises and simulation exercises to
understand exposures and to identify vulnerabilities
48
Immediate Next Steps
1.
2.
Undertake insurance and risk management review
Institute a planning team
Make it a team sport and a contact sport
– Interdisciplinary approach
–
3.
Identify vulnerabilities
Assess potential for disruption
– Determine expected frequency
– Quantify the likely and worst-case scenario
–
4.
5.
6.
Inventory existing internal resources
Determine available external resources
Develop, disseminate and drill on new plan
Individual Exercise: Action Steps
•
Identify 3 critical gaps in business resiliency or continuity
planning for your company.
•
Based on the information you have learned today, identify 3-5
specific tactics/strategies you will take at your company in key
areas:
• Emergency planning/preparedness
• Business continuity/resiliency
• Crisis management & communication
Appendix: Additional Resources
• Know Your Stuff® – Home Inventory
• Insurance Information Institute's free online home inventory
software (http://www.iii.org/)
Business Continuity Planning Checklist
CFMA Louisiana Joint Chapter
Conference in New Orleans
(March 2006)
Copy available upon request
Downloadable Government Resources
Emergency Management Guide for Business and
Industry
http://www.fema.gov/library/viewRecord.do?fromSea
rch=fromsearch&id=1689
Sample Emergency Plan Resources
www.ready.gov/business/
Protect Your Workplace: Cyber-Security
http://www.us-cert.gov/reading_room/
Business Continuity and Emergency Plan
http://www.ready.gov/business/_downloads/sampleplan.pdf
53
Critical Incident Response &
Crisis Management
Crisis Care Network
www.crisiscare.com
Critical incident response
Crisis communications
The Lukaszewski Group, Inc.
Division of Risdall Public Relations
http://www.e911.com/
Additional Resources
Bernstein Crisis Management, Inc.
www.bernsteincrisismanagement.com/
Guide to Business Continuity
Management, 2nd edition
http://www.protiviti.com/enUS/Pages/Guide-to-BCM-2ndEdition.aspx
Supply Chain Risk Management Resource
www.supplychainriskinsights.com
•Zurich North America’s co-branded microsite with Wall Street Journal
•Repository for thought leadership on supply chain risk management
topics
56
OSHA’s e-Hurricane Matrix
www.osha.gov/SLTC/etools/hurricane/
index.html
Copyright © 2010 CFMA
All rights reserved.
Cyber Risk Resource
The Financial Management of Cyber Risk: An Implementation
Framework for CFOs
http://webstore.ansi.org
Contact Information
Cal Beyer
Murray Securus
39 N. Duke Street
Lancaster, PA 17608
Phone: 717.397.9600
www.murrayins.com
cbeyer@murrayins.com
@riskleadership & @ContractorRisk
www.linkedin.com/in/calvinbeyer/