Risk Improvement Imperative
advertisement
2010 Virginia RIMS and PRIMA Conference October 5, 2010 Business Impact Analysis: The Road Map to Managing Risks The need for information… Understanding risks in quantifiable terms provides the roadmap Business Impact Analysis (BIA) Measures the enterprisewide impacts to an organization in the event of a major disruption to key business processes Financial $ quantification of specific exposures Applied to internal as well as external processes / facilities The Evolving Landscape Corporate governance Regulatory compliance Need for transparency Executive accountability Competitive pressure Reduced time to market Margin pressure BUSINESS Consolidations Global supply chains & economic conditions Business model complexities / silos Operational efficiency High asset utilization Lean manufacturing The Evolving Landscape Internal risks • Traditionally covered ? External risks? • Do risk management efforts match? ⇒ The distinction between internal and external is becoming more blurry ⇒ The property risk blind spot Pressures lead to increasing risks and accountability to manage risk And yet… CRISIS COMMUNICATIONS & PUBLIC RELATIONS SECURITY EMERGENCY MANAGEMENT KNOWLEDGE MANAGEMENT HEALTH & SAFETY QUALITY MANAGEMENT SUPPLY CHAIN MANAGEMENT FACILITIES MANAGEMENT & RISK IMPROVEMENT DISASTER RECOVERY RISK MANAGEMENT Response: The BCM ‘umbrella’ BUSINESS CONTINUITY MANAGEMENT Courtesy of the Business Continuity Institute 8 The BCM Model Understand your business Keep continuity alive Design For Resilience Implement your continuity strategies BIA Analysis / prioritization BC / Ops Strategies Develop your continuity strategies A few basic assumptions BCP: Scenario neutral Probabilities • Factor into crisis management, not BCP • Outage Worst case time is the key consideration with recovery scenarios DOstrategies happen… Scope plan• on it and Entire facility you’re ready for anything Design for Resilience To know where to direct limited resources, you must determine which activities are most critical to maintaining continuity and achieving your strategic objectives Understand your business How would the current level of understanding be assessed? • Revenue streams, resilience and risks? • Interdependencies between revenue streams? • Mitigation capabilities? • Ultimate exposures? Developing BC strategies Prevent losses happening in the first place by protecting your critical processes Make changes now to critical process in your business model to make it more resilient Develop plans that you can implement to maintain your business if the worst happens Specific $ estimates allow for easier cost / benefit evaluation Information sharing is critical Operations Finance Supply chain Risk Management to create a prioritization map Execution – Business Model Analysis Firm Infrastructure – Finance Human Resources Information Technology Purchasing/Procurement Profit Inbound Logistics Operations Outbound Logistics Marketing & Sales Service Questionnaires, with follow-up interviews Dependency Mapping Location Location 1 Location 2 Location 3 Location 4 Product A $15.5M 10% 50% 100% 100% Product B $100.1M 0% 25% 100% 0% Product C $75.6M 0% 100% 100% 0% Product D $355.3M 20% 65% 100% 10% Understanding the relationship between revenue / margin streams and: • • • • Locations (can also drive values reporting) Processes Applications Suppliers (mainly sole sources) Quantification Approach Product Lines % Impacted Impacted Direct Annual Interdependent Impact Annual Impacts Additional Expenses Post-replacement lost sales Annual Product Annual Product Variable Variable Replacement Margin(s) (BI Margin(s) (BI Period - Mitigation Time Value) Value) Months - Months Subtotal Rate Amount Rate (months) Amount Internal / External Analysis 1. Determine product lines impacted and direct variable margin impacts on a product line basis 2. Evaluate potential interdependent impacts – other revenue streams 3. Determine current replacement / recovery period 4. Assess mitigation capabilities 5. Consider other loss-cost factors • Additional expenses, related to mitigation or other • Customer losses, after recovery; can be huge factor RTO / MTO Identification Maximum tolerable outage • The duration after which an organization’s viability will be threatened if the activity cannot be resumed. Recovery time objective • The specific target time set for resumption of performance of an activity / process / application, etc. after an incident, which must support the MTO. • Evaluate the gap from current recovery Identification is important, but consider subjectivity • Evaluate against specific $ exposure quantifications via worstcase scenario Risk evaluation Consider the relationship between physical risk and impact to the business when evaluating risk mitigation strategies Resource direction BI Exposure vs. Risk Quality 60 Phoenix Actual Risk Mark Score Charlotte 70 80 Orlando Beaumont Houston Austin 90 Dallas San Antonio Denver 100 $0 $50 $100 BI Exposure ($M) $150 $200 Some examples… Capet manufacturing: chemical supplier Coal mining interdependency Production bottlenecks Medical device supplier exposures Sr. management / BOD support for BCP / RI efforts Focusing RM resources (RI, BCP, transfer,…) > $400M + Reputation + Market Share + Shareholder Value Summary BCM more critical Prioritized approach to make manageable • $ quantifications with assessment of physical risks • Optimizes mitigation strategy selection • Framework includes loss prevention Does the management of internal and external risks match? Eric Jones, CPA, CVA, CBCP FM Global AVP, Manager, Business Risk Consulting eric.jones@fmglobal.com 972-731-1613
