risk management - business continuity planning and management
DESCRIPTION
This presentation outlines the basics behind Business Continuity planning and management. Targeted to CEO's, CFO's and CIO's, this presentation emphasizes the processes and the need to make BCP/M part of the Enterprise's fabric.TRANSCRIPT
Risk Management
Business Continuity Planning and Management
Presentation OutlinePresentation Outline ISO Principles of Risk Management Disaster Recovery vs Business Continuity Disaster Recovery vs. Business Continuity Unexpected Events Business Continuity and Risk Avoidance Business Continuity and Risk Avoidance Planning and ManagementBreakBreak Development, Implementation and Exercise Return on Investment Business Continuity as an Operational Process
2
ISO Principles of Risk ManagementISO Principles of Risk Management Should create value Must be an integral part of organizational processesg p g p Must be part of decision making Should explicitly address uncertainty and assumptions
I d d Is systematic and structured Should be based on the best available information Should be customizable Should be customizable Takes into account human factors Is transparent and inclusive Is dynamic, iterative and responsive to change Is continually improved and enhanced Must be continually or periodically re assessed
3
Must be continually or periodically re-assessed
Disaster Recovery vs.
Business Continuity
Disaster Recovery vs. Business ContinuityContinuity Disaster Recovery The processes involved in restoring a business to normal The processes involved in restoring a business to normal
operation after its operations have been partially or completely interrupted by some event
Business Continuity Planning Planning to keep your business operating through an
unexpected eventunexpected event
Business Continuity Management Managing the sustaining key business components, bridging the g g g y p g g
event
Discussion
5
Is Business Continuity Planning Necessary?Necessary? Compelling Factors Regulatory requirements Regulatory requirements Competitive requirements Customer impact Investor impact Potential litigation
D C Si M ? Does Company Size Matter? Is BCP for large companies only?
Bottom Line Bottom Line Keep business functioning and Protect Company assets (human, IP, infrastructure)
6
p y ( , , )
Unexpected Events
What Constitutes a Disaster or Business Continuity Interruption?Business Continuity Interruption? Catastrophic Events Location destroyed
D b d d Distribution center destroyed Headquarters destroyed
Event Rising From: Supply Chain disruption Smoke/Fire Cyber attack Terrorism Earthquake Affects of nearby disaster (RR tanker derails; Fukushima)
S i l di b ( l h d f ili i i ) Social disturbance (people are hurt and facility is crime scene) Be careful of playing the odds Virginia’s last earthquake: over 100 years ago; until August, 2011
8
Example Disruption ScenariosExample Disruption Scenarios Level 1 — Loss of secondary function Loss of SaaS provider (Outsourced Accounting System) $ Loss of SaaS provider (Outsourced Accounting System)
Level 2 — Technology offline Loss of local computing environment
$
p g
Level 3 — Distribution network impact Loss of warehouse (physical goods) Cost
Level 4 — Regional command and control Loss of entire division
Level 5 — Disaster Loss of entire company $$$$
9
Business Continuityand
Risk Avoidance
Business ContinuityOverviewOverview Business initiative, not an Information Technology initiative Must keep key revenue streams operating Must keep key revenue streams operating Need a vulnerabilities list (highest to lowest) Risk avoidance Risk avoidance Total Risk Avoidance
Replicated facility (higher cost)
Minimal Risk Avoidance Essential operational systems (lower cost)
Balancing act Balancing act
11
Keep Key Revenue Streams OperatingKeep Key Revenue Streams Operating Reduce or eliminate revenue stream interruptions by: Keeping supply chain moving Keeping supply chain moving Filling orders to key customers Receiving payments Paying key invoices
12
List VulnerabilitiesList Vulnerabilities Remember S.W.O.T. analysis Strengths — your Company may have an effective logistics Strengths your Company may have an effective logistics
network that can sustain loss of a warehouse with little or no impact to continuing operationsW k li h h C i Weaknesses — list areas where the Company is most vulnerable to interruptions ordered by business impact
Opportunities — you may be able to consolidate operations pp y y pfor the short term, or take advantage of unused space in a lesser-used building in the event of facility loss
Threats including those listed under Example Disruptive Threats — including those listed under Example Disruptive Scenarios, natural disasters (floods, hurricanes, tornados, earthquakes), etc.
13
Other Vulnerability Assessment ToolsOther Vulnerability Assessment Tools
Brainstorming Dependency modelingRisk Identification Risk Analysis
Brainstorming Questionnaires Business studies assessing both
i l d l f
Dependency modeling Event tree analysis Real Option Modeling
(V l i )internal and external factors which can influence operations
Industry benchmarking
(Valuation) Decision making under
conditions of risk and i Scenario analysis
Risk assessment workshops Incident investigation
uncertainty Measures of central tendency
and dispersion (descriptive i i ) Incident investigation
Auditing and inspection HAZOP (Hazard & Operability
Studies)
statistics) PEST (Political, Economic,
Social,Technological) analysis
14
Studies)
Total Risk AvoidanceTotal Risk Avoidance How much is too much? Total Replication of all operational systems Example U.S. Postal Service (two of five Data Centers)
Discussion.
15
Minimal Risk AvoidanceMinimal Risk Avoidance Essential Systems
Payroll (time clocks)y ( ) Inventory and Order
Management E-mail (communication)( )
5 Business Days A/R A/P Shipping
I thi i ht? Is this right?
16
Balancing ActBalancing Act Objective: Determine What You Need Total Risk Avoidance Total Risk Avoidance Fully Redundant Systems and Operations
Facilities Inventory Shipping/Receiving
Minimal Risk Avoidance Minimal Risk Avoidance Select functions deemed essential Some disruption in service is acceptablep p
Discussion
17
Planning and Management
Managing the RiskManaging the Risk High-level planning Develop the plan and publish it Develop the plan and publish it Implementation and exercise When is the plan considered complete? When is the plan considered complete?
19
Getting Started: ObjectivesGetting Started: Objectives Your Company’s Business Continuity and Needs Define what business continuity means for your company Define what business continuity means for your company Determine what you need in order to maintain it
Take nothing for grantedg g Review all operational concerns Review both internal and external factors
Discovery process budget Determine a rough order of magnitude budget for the
discovery processdiscovery process Fund it
Discussion: how can this be done?
20
High-level PlanningHigh level Planning Engage management and build the BCP team CEO COO CFO CIO CEO, COO, CFO, CIO Name business and technology leaders as BCP stakeholders
Create a standard Charter for the projectp j Make it an Enterprise project Agree on a single individual as the owner with an understudy Assign a project manager
Isolate Continuity targets Essential business functions (use a risk matrix) Essential business functions (use a risk matrix) Scrutinize pitfalls/darlings/issues
21
Project CharterProject CharterA Project Charter: Lists reasons for undertaking the project Lists reasons for undertaking the project Solidifies objectives and constraints of the project Provides directions concerning the solution Gives names and titles of the main stakeholders Enumerates in-scope and out-of-scope items
D h h l l k l Dictates as a high-level risk management plan Serves as a communication plan Targets project benefits Project Charters are used to: Targets project benefits Authorizes high-level budget
and spending authority
Project Charters are used to: Authorize a project Aid with resource management Focus overall scope
22
Risk Matrix ExampleRisk Matrix Example Helps isolate potential interruptions in service Link this to affected operations service continuity plan
Threat Probability (P) Impact (I) Risk = P x IHurricane 80% 1 80%
Link this to affected operations service continuity plan
% %
Flooding – Internal 80% 1 80%
Severe Storms 25% 1 25%
Flooding – External 80% 0.2 16%
Wind Storm 10% 1 10%
Tornado 10% 1 10%
Terrorism 10% 1 10%
Fire – Internal 10% 1 10%
Fire – External 10% 1 10%
Earthquake 1% 1 1%Earthquake 1% 1 1%
23
Plan ComponentsPlan Components Establish objectives for the plan. Examples include: Run payroll within 24 hours of event Run payroll within 24 hours of event Ship product within 48 hours of the event
Essential personnelp List personnel required for managing the processes List backup personnel, in the event the primary personnel are
di tl ff t d b th tdirectly affected by the event
Calendar/Timeline Create a calendar to pinpoint specific timing of actions Create a calendar to pinpoint specific timing of actions List important dates such as payroll, monthly close, and other
recurring events that can influence the required availability
24
Systems RecoverySystems Recovery What systems are crucial to maintain continuity? Payroll and time clocks? Payroll and time clocks? Inventory and Order management? Shipping and Receiving? Email? All of the above?
B f l f dl Be careful of purportedly autonomous systems Question from the shipping manager:
“Since FedEx has supplied my shipping stations, and they are able to Since FedEx has supplied my shipping stations, and they are able to print shipping manifests, is it okay to go ahead and ship product even if the inventory and fulfillment systems are offline?”
Do you think it’s okay?
25
Do you think it s okay?
Data RecoveryData Recovery Differences between System and Data Recovery Systems are the substrate that manage and present data Systems are the substrate that manage and present data Data carries the information
Data Recovery Point Objectivey j How old is the data that can be recovered? Where is the backup stored? Offsite, or still on-site? When was the last validation that data could be recovered?
Data Recovery Time Objective How long will it take to recover? How long will it take to recover? Will data be recovered to the point just prior to the event? What about data that is lost?
26
Break
Development Implementation Development, Implementation and Exercise
Develop the Overall PlanDevelop the Overall Plan Stakeholders List their area’s essential business functions List alternatives for each business function in a matrix Plan for functions without immediate alternatives
Assess alternatives for strategic functions Assess alternatives for strategic functions Example: if a warehouse goes offline, can product ship from other
warehouses? Include the estimated cost difference. Document a process flow for decision making and emergency Document a process flow for decision-making and emergency
response. Ensure everyone knows who is in charge
E bl h l f f d l d ll Establish a single-point of contact for media relations and ensure all responses are funneled through them
Do not depend on making good decisions inside the tornado
29
Develop the Execution PlanDevelop the Execution Plan Formulate Business Continuity Management Plan Assign point individuals to manage specific areas of operation Assign point individuals to manage specific areas of operation Ensure everyone has a backup
Establish action plans for:p Running day-to-day operations Contacting insurance companies and managing distributions Recovering from the interruption. Include vendors to source
product, infrastructure and services Crisis communications to keep staff updated as changes occur Crisis communications to keep staff updated as changes occur
30
Implementation and ExerciseImplementation and Exercise Train for the exercise:
Notify participants of it, No plan survives the battle field.— Helmuth von Moltke
Stage it, and Implement it!
Implement it in stages:
— Helmuth von Moltke
p g First , work out what you thought would happen Adjust the plan based on what actually happens
Common misconception: you can’t exercise everything in the plan Common misconception: you can t exercise everything in the plan Yes, you can You may choose not to, because of disruption or cost
Choose a cycle for exercise and stick to it Choose a cycle for exercise, and stick to it. Minimal: annual (has drawbacks) Optimal: quarterly
S i l i l ( l ifi l )
31
Super-optimal: continual (may apply to specific processes only)
When is the Plan Considered Complete?When is the Plan Considered Complete? Never Business Continuity is not a Project Business Continuity is not a Project It’s a program It’s an operational processp p It’s a strategy It exists as long as your business does
Each exercise should reflect an updated plan Exercising the plan is like putting on a play Remember your lines Remember your lines
Discussion
32
Return on Investment
Quote #1Quote #1
A Grudge Buy or Providing ROI?“Th f h i i lik l “The fact that most organizations are unlikely to ever use the full extent of the services they have
id f h i h d di paid for has, in the past, made disaster [recovery] something of a ‘grudge buy’ and not
hi h i something that most companies are eager to spend money on.”
ITWEBSeptember 25, 2001
34
Quote #2Quote #2
Probability or Availability?“ h b bili i i d b “…the probabilities associated by corporate management with the occurrence of most di l h h d l f disasters are so low that the expected value of most disaster recovery programs does not begin
h i d i lto cover the costs required to implement(or purchase) them.”
William CappelliDisaster Recovery Program Costing: The Missing Element
from GIGAJanuary 22, 1998
35
Quote #3Quote #3
Bottom Line or Bottomless Pit?“R i d ’ dd hi h“Recovery services don’t add anything to thebottom line, but the consequences of noth i l i l b di ”having a plan in place can be disastrous.”
Dave LinacreManaging Director
IBM Business Continuity and Recovery ServicesIBM Business Continuity and Recovery Services
36
Reasons ROI Is Not CalculatedReasons ROI Is Not Calculated Difficulties in making the calculation Not a financial decision Not a financial decision Lack of commitment to the process Not an important issue Not an important issue Bottom Line:
Should it take a disaster to recover your investment?y
37
Calculating Return on InvestmentCalculating Return on Investment Calculated on projects with fixed costs and an end date Business Continuity starts as a project but becomes an on- Business Continuity starts as a project, but becomes an on
going operational program Cost vs. Time to Ownership: hard to calculate
The project has high development costs up-front The project’s long tail never ends (constant updates as new systems
and changes to business processes occur)
Value Perspective: possible to calculate Complex calculation (host of factors including loss of productivity) Moderate calculation (risk register) Moderate calculation (risk register) Simple calculation (loss by specific system)
Cost of Downtime
38
The Cost of Downtime
Tangible Costs Intangible Costs
Lost Revenue Lost Wages
Lost Opportunity Employee Retention
Remedial Labor Costs Lost Inventory
Loss in Share Value Goodwill
Marketing Costs Bank Fees / Penalties
Brand Damage
Legal Costs
39
Example Costs of Doing NothingExample Costs of Doing NothingAverage Hourly Costs of Downtime
Airline Reservations: Retail Catalog:
I f i l / P i
$ 89,500$ 90,000$ 199 500 Infomercials / Promotion:
Retail Banking: R t il B k
$ 199,500$1,000,000$6 500 000 Retail Brokerage: $6,500,000
40
Business Continuity as an Business Continuity as an Operational Process
Implementing Business ContinuityImplementing Business Continuity What Not To Do? Treat BCP like a one-time project Treat BCP like a one time project Turn BCP into a Compliance Program
What To Do? Weave the program into processes as a forethought, not an
afterthought M k BCP t f th ti l f b i Make BCP part of the operational fabric Validate progress with each Business Continuity exercise Grow Business Continuity as your business grows Grow Business Continuity as your business grows
42
ISO Principles of Risk Managementand Business Continuity and Business Continuity Should create value
BCP creates value by ensuring continued business operation
Should be customizable BCP can be customized as changes in the
business dictateT k i h f Must be an integral part of organizational
processes BCP is an operational process and is therefore
integral to the organization Must be part of decision making
Takes into account human factors BCP ensures that the plan addresses capabilities
of people who can facilitate (or hinder) business continuity
Is transparent and inclusive Must be part of decision making BCP is strategic, and therefore part of
decision making Should explicitly address uncertainty and
assumptions
p BCP is transparent and inclusive by ensuring
that stakeholders are fully involved in every aspect of the process
Is dynamic, iterative and responsive to changep
BCP inherently addresses uncertainty and assumptions
Is systematic and structured BCP is a systematic and structured process
h i h h b i
change BCP changes as the business grows and
expands Is continually improved and enhanced
BCP is an operational process that that grows with the business Should be based on the best available
information BCP is based on the best available information
at its inception, and it is continually updated
BCP is an operational process that continually improves as the business grows
Must be continually or periodically re-assessed BCP is continually re-assessed as changes occur
i th b i
43
at its inception, and it is continually updated in the business.
Questions
SourcesSources DRI International Continuity Central Continuity Insights 2011 Conference Disaster Recovery Resources Disaster Recovery World PilotOnline.com Humbach, Rob “Disaster Recovery: Finding ROI Without the Disaster,” 2003 Humbach, Rob. Disaster Recovery: Finding ROI Without the Disaster, 2003 A Risk Management Standard, AIRMIC, ALARM, IRM: 2002 Wikipedia (various subject articles)
© 2010 — 2011, The Arrington Group, Inc.g pThis presentation has been uploaded to SlideShare as a marketing instrument for the services of The Arrington Group, Inc.
The Arrington Group respectfully requests that you not use this presentation, or specific content from it, without express permission from The Arrington Group, Inc. Therefore, no person, organization or other entity should use this presentation, or specific content from it, as or in their own presentation. If you would like to use aspects of this presentation, or have questions regarding this one, please direct your inquiry to [email protected].
The Arrington Group, Inc. does, however, grant you the right to cite this presentation, or aspects of it, as a bibliographical reference. Therefore, if you use this presentation for your research, please include the following citation:
Shive, Cody. “Business Continuity Planning and Management." The Arrington Group, Inc. SlideShare, 14 Dec. 2011. Web. 14 Dec. 2011.
All diagrams used in this presentation are © The Arrington Group, Inc. Images used are public domain.
45
All diagrams used in this presentation are © The Arrington Group, Inc. Images used are public domain.