©2017 Fusion Risk Management, Inc.

Establish Command & Control for BCM Program Success

Wednesday, March 8, 2017

Whether your focus is Business Continuity, Disaster Recovery or Crisis/Incident Management, success as a leader requires that you have command of your program, and demonstrate that you are in control every step of the way.

This webinar will provide new perspectives on the challenges facing today's BCM practitioners, and help you redefine your strategies for achieving program success. Our discussion will include:

• Gathering and managing information to more fully understand risks and impacts.

• Driving engagement, ownership and accountability from your program contributors and executives.

• Organizing and orchestrating to achieve successful risk mitigation, disaster response, and recovery.

Now more than ever, successfully managing an enterprise BCM program means much more than conducting BIAs, developing plans, and running tests.

With the right approach you will find command and control is clearly achievable for BCM success.

2

Introductions

David HalfordDirector

Advisory Services

Fusion Risk Managementdhalford@fusionrm.com

www.linkedin.com/in/dahalford

Joe RobinsonSr. Director

Global Risk & Resilience

Micron Technologywww.linkedin.com/in/joerobinson

Andy MerckerVice President, Marketing

& Business Development

Fusion Risk Managementamercker@fusionrm.com

www.linkedin.com/in/amercker

3

What is Command & Control?

• Managing a Comprehensive BCM Program

• Engaging Everyone in your Organization

• Managing Incidents & Orchestrating Exercises

4

• Managing a Comprehensive BCM Program

• Engaging Everyone in your Organization

• Managing Incidents & Orchestrating Exercises

• Are you chasing after plan owners for updates, competing for executive attention, and struggling for awareness?

What is Command & Control?

• Are you more simply conducting BIA’s, developing plans, and running tabletop exercises?

• But does this mean simple tabletops, and being in “scramble mode” during actual incidents?

5

What holds us back?

6

?

?

?

• Disparate Data

• Uncoordinated Work Streams of Activities

• Lack of a Common Organizing Model

• Many Sources, Owned By Different Groups, Not Synchronized, Not Consolidated, Various Stages of Currency / Completeness / Accuracy

• Declare Disaster, Business Recovery, BC & DR Teams, First Responders, Facilities, Risk Agendas…

• Executive Reporting, Consistent Across Programs, Prioritization, Risk Tolerances, Investment Decisions

7

?

?

?

What holds us back?

• Convergence of Major Trends

• Growing Array of Agendas

• Increased Expectations for Positive Outcomes

Dramatically increasing the pressure to be more effective, efficient, and economical.

8

What's changed? Is what we’re doing no longer good enough?

Six Major Trends

What's changed? Is what we’re doing no longer good enough?

1. Ever tightening supply chains and increasing dependencies on critical vendors and outsourced service providers.

2. Increased customer demands to not simply promise but prove you have the ability to deliver.

3. Increased weather events creating greater and more frequent disruptions.

4. Executives’ heightened awareness of responsibilities for operational risk.

5. Greater dependency on IT, and greater IT infrastructure complexity.

6. Ever increasing cyber threats and information security events.

9

• Business Continuity

• Disaster Recovery

• Crisis Management

• Incident Management

• Emergency Management

• EH&S

• Security

Growing Array of Agendas

• Facility Risk

• Vendor Risk

• Cyber Risk

• Operational Risk

• Enterprise Risk

• Audit & Compliance

• Legal

What's changed? Is what we’re doing no longer good enough?

10

Expectations for Positive Outcomes

• Expectations for zero downtime

• Expectations for zero disruptions to the business

• No deficiencies in your program will cause the organization to miss any of its business objectives.

What's changed? Is what we’re doing no longer good enough?

11

Problem Definition How do we define these challenges?

• Information Foundation

• Effective Engagement

• Activation and Execution

12

• Information must be accurate and up to date in order to manage effectively at every point in your program.

• Information must be consolidated and organized under a “single pane of glass”, so that it’s readily available and presentable in context when you need it.

• Information must be sustainable, not simply a snapshot, to truly form the foundation of your program -- for your strategies, plans, procedures and activities needed to deliver resilience and recovery.

Problem Definition How do we define these challenges?

13

Information Foundation

• If you don't have people in your organization who are engaged, accountable and responsible, you don’t have the resources required to run a successful program.

• If you don't have the attention of your executives, how aware are they of risks and impacts to the business, and how do they determine appropriate levels of investment?

• Executive buy in and support is necessary to gain resources and tools to deliver an effective program.

Problem Definition How do we define these challenges?

14

Effective Engagement

• If your plans aren't what people turn to during a disruption, then what are they doing and who is leading them?

• If you lack a common organizing model, then how well can you coordinate people, and prioritize and sequence all of the work streams of activities?

• If information isn’t readily available as it’s changing, then how can you gain situational awareness to address unplanned scenarios or unexpected events?

Problem Definition How do we define these challenges?

15

Activation and Execution

16

Solution Definition

Information

Command & Control

Driving Engagement

Driving OutcomesStrategy & Preparation

• Information forms the Foundation and is required for all material advances

• Effective & efficient Engagement drives outcome

• Establishes confidence in ability to Activate & Execute at time of crisis and/or outage event

17

• Information forms the Foundation and is required for all material advances

• Effective & efficient Engagement drives outcome

• Establishes confidence in ability to Activate & Execute at time of crisis and/or outage event

Solution Definition

Information

Command & Control

Driving Engagement

Driving OutcomesStrategy & Preparation

Information Baseline

• Detailed Knowledge of the Business & Business Impacts“Understand how it works so you understand how it breaks”

• Methodology & System in place to maintain and manage information real-time “Deliver desired outcomes regardless of disruptions”

• Business Impact Data used in allaspect of Decision making

“Decisions based on current data”

• Ability to use Business Continuity data inOperational Management“Support Change Control & improve efficiency of daily operations”

Business Impact Management18

Starting Point - Impact Assessments

19

A Business Continuity Management process that…

…is used to determine and manage the outage impacts and exposures of mission-critical processes, applications or facilities over time

…is used to support & establish priorities for resilience, availability and/or recovery

…can be used to determine the “value” of a mission-critical process

…can also be used to support the business case for investments in IT, Facility and process resilience

Types of Impact Assessments

20

• Business Impact Assessment (BIA)(Process, Function, Department, Functional Area)

• System/Technology Impact Assessment (SIA/TIA)(Application, IT System, IT Service)

• Facility/Site Impact Assessment

• Vendor Risk Assessment

• Supply Chain Risk Assessment

Impact Management Best Practices

21

1. Focus on information that extends beyond a typical BIA.

2. Use a data model that reflects a. How your organization works, b. How it might break,c. How you can prevent breaks, andd. How you can put it back together

again.

3. Assume information is constantly changing

4. Methodology and approach promotes Ownership & Engagement

Engagement - what do we mean ?

22

Engagement is:

• Individual ownership

• Information updated regularly as part of operational process

• Program information is used to support operational decisions & viewed as a value to the enterprise

…is NOT:• Annual testing and plan reviews is only

time the extended program team is involved

• Business Impact Data only updated during traditional 2-3 year update cycle

• Maintaining program data and information baseline is viewed as a governance / regulatory requirement

Effective & efficient Engagement drives outcome & supports

successful Command & Control

Executive Engagement

23

• Starts on the foundation of facts and generates value to the Enterprise

• Program Status Dashboards –promotes program confidence & maintain visibility

• Collect & report information by areas of Relevance (VP, Department, Organizational Unit, etc.) – often generates a healthy competition

• Focus on factors that communicates your level of confidence in ability to execute

• Starts on the foundation of facts and generates value to the Enterprise

• Program Status Dashboards –promotes program confidence & maintain visibility

• Collect & report information by areas of Relevance (VP, Department, Organizational Unit, etc.) – often generates a healthy competition

• Focus on factors that communicates your level of confidence in ability to execute

Executive Engagement

24

Activation & Execution

25

Actual crisis events rarely reflect the tabletop test or a ‘planned’ exercise…

Integrating multiple plans, coordinating multiple teams and staying on track is challenging even for the most experienced practitioners.

Recovery orchestration techniques deliver better simulations and more predictable outcomes during actual crisis events.

• Focus on your Milestones

• Understand Dependencies

• Maintain Awareness (Situation and Progress)

• Distribute Responsibilities

• Communicate/Inform

• Be Adaptive

• Leverage Tools

Effective Recovery Orchestration

26

27

• Information forms the foundation for all material advances

• Effectiveness, Efficiency & Economic value can be delivered with new thinking and new approaches

• Command & Control can become your brand to advance your program

Solution Definition

Information

Command & Control

Driving Engagement

Driving OutcomesStrategy & Preparation

©2016 Micron Technology, Inc. All rights reserved. Information, products, and/or specifications are subject to

change without notice. All information is provided on an “AS IS” basis without warranties of any kind.

Statements regarding products, including regarding their features, availability, functionality, or compatibility,

are provided for informational purposes only and do not modify the warranty, if any, applicable to any

product. Drawings may not be to scale. Micron, the Micron logo, and all other Micron trademarks are the

property of Micron Technology, Inc. All other trademarks are the property of their respective owners.

Micron Technology Global Risk & Resilience

Joe RobinsonSr. Director, Global Risk & Resilience

©2016 Micron Technology, Inc. All rights reserved. Information, products, and/or specifications are subject to

change without notice. All information is provided on an “AS IS” basis without warranties of any kind.

Statements regarding products, including regarding their features, availability, functionality, or compatibility,

are provided for informational purposes only and do not modify the warranty, if any, applicable to any

product. Drawings may not be to scale. Micron, the Micron logo, and all other Micron trademarks are the

property of Micron Technology, Inc. All other trademarks are the property of their respective owners.

29

Micron by the Numbers

38 Years strong in

18 Countries with 13 Manufacturing and R&D sites,

3O,OOO+ Team Members and

Net Sales in Fiscal 2016 of

$12,39O,OOO,OOO

| June 27, 2017

30

Corporate Headquarters and R&D FacilitiesBOISE, ID

| June 27, 2017

31

Global Manufacturing Scale2

Lehi, Utah USA Manassas, VA USA

3

13

2 4

5

6

7

8

9

10

4

Hiroshima, Japan

10

Akita, Japan

5

Muar, Malaysia

9

Xian, China

7

Taiwan (Inotera)

6

Singapore

8

Taiwan

1

Boise, Idaho USA

| June 27, 2017

32

Serving a broad set of customer applications

| June 27, 2017

33

Global Risk & Resilience

• Risk Committee Oversite

• Risk Attitude

• Risk Tolerance

• Risk Management Process• Identify• Assess and Prioritize• Treatment and Control• Monitor Residual Risk• Report Effectiveness

Enterprise Risk Management

• Risk Committee Oversite

• Business Impact Analysis• Corporate Functions• Sites

• Risk Assessment• Disruptive Risks• Included in ERM Process

• Continuity Strategy• Corporate Functions

• Plans

• Training and Exercises

Business Continuity Management Crisis Management

• Risk Committee Oversite

• Crisis Management Teams• Executive• Site

• Cross-functional

• Crisis Management Process• Monitor and Alert• Activation• Event Management• Deactivation• Evaluation and

Improvement

| June 27, 2017

34

Command & Control

• Authority

• Subject Matter Expertise

• Know Your Business

• Lead Your Program

• Control, during an event, is a figment of your imagination!

June 27, 2017

35

Engagement

• Value• What is it?

• How do you measure it?

• Top Down and Bottom Up

June 27, 2017

36

Activation / Execution

• Trust

• Process

• Monitor and Adjust

June 27, 2017

David HalfordDirector

Advisory Services

Fusion Risk Managementdhalford@fusionrm.com

www.linkedin.com/in/dahalford

Joe RobinsonSr. Director

Global Risk & Resilience

Micron Technologywww.linkedin.com/in/joerobinson

Andy MerckerVice President, Marketing

& Business Development

Fusion Risk Managementamercker@fusionrm.com

www.linkedin.com/in/amercker

38

Q&A