Risk Management - Business Continuity Planning and Management

Risk Management

Business Continuity Planning and Management

Presentation OutlinePresentation Outline ISO Principles of Risk Management Disaster Recovery vs Business Continuity Disaster Recovery vs. Business Continuity Unexpected Events Business Continuity and Risk Avoidance Business Continuity and Risk Avoidance Planning and ManagementBreakBreak Development, Implementation and Exercise Return on Investment Business Continuity as an Operational Process

2

ISO Principles of Risk ManagementISO Principles of Risk Management Should create value Must be an integral part of organizational processesg p g p Must be part of decision making Should explicitly address uncertainty and assumptions

I d d Is systematic and structured Should be based on the best available information Should be customizable Should be customizable Takes into account human factors Is transparent and inclusive Is dynamic, iterative and responsive to change Is continually improved and enhanced Must be continually or periodically re assessed

3

Must be continually or periodically re-assessed

Disaster Recovery vs.

Business Continuity

Disaster Recovery vs. Business ContinuityContinuity Disaster Recovery The processes involved in restoring a business to normal The processes involved in restoring a business to normal

operation after its operations have been partially or completely interrupted by some event

Business Continuity Planning Planning to keep your business operating through an

unexpected eventunexpected event

Business Continuity Management Managing the sustaining key business components, bridging the g g g y p g g

event

Discussion

5

Is Business Continuity Planning Necessary?Necessary? Compelling Factors Regulatory requirements Regulatory requirements Competitive requirements Customer impact Investor impact Potential litigation

D C Si M ? Does Company Size Matter? Is BCP for large companies only?

Bottom Line Bottom Line Keep business functioning and Protect Company assets (human, IP, infrastructure)

6

p y ( , , )

Unexpected Events

What Constitutes a Disaster or Business Continuity Interruption?Business Continuity Interruption? Catastrophic Events Location destroyed

D b d d Distribution center destroyed Headquarters destroyed

Event Rising From: Supply Chain disruption Smoke/Fire Cyber attack Terrorism Earthquake Affects of nearby disaster (RR tanker derails; Fukushima)

S i l di b ( l h d f ili i i ) Social disturbance (people are hurt and facility is crime scene) Be careful of playing the odds Virginia’s last earthquake: over 100 years ago; until August, 2011

8

Example Disruption ScenariosExample Disruption Scenarios Level 1 — Loss of secondary function Loss of SaaS provider (Outsourced Accounting System) $ Loss of SaaS provider (Outsourced Accounting System)

Level 2 — Technology offline Loss of local computing environment

$

p g

Level 3 — Distribution network impact Loss of warehouse (physical goods) Cost

Level 4 — Regional command and control Loss of entire division

Level 5 — Disaster Loss of entire company $$$$

9

Business Continuityand

Risk Avoidance

Business ContinuityOverviewOverview Business initiative, not an Information Technology initiative Must keep key revenue streams operating Must keep key revenue streams operating Need a vulnerabilities list (highest to lowest) Risk avoidance Risk avoidance Total Risk Avoidance

Replicated facility (higher cost)

Minimal Risk Avoidance Essential operational systems (lower cost)

Balancing act Balancing act

11

Keep Key Revenue Streams OperatingKeep Key Revenue Streams Operating Reduce or eliminate revenue stream interruptions by: Keeping supply chain moving Keeping supply chain moving Filling orders to key customers Receiving payments Paying key invoices

12

List VulnerabilitiesList Vulnerabilities Remember S.W.O.T. analysis Strengths — your Company may have an effective logistics Strengths your Company may have an effective logistics

network that can sustain loss of a warehouse with little or no impact to continuing operationsW k li h h C i Weaknesses — list areas where the Company is most vulnerable to interruptions ordered by business impact

Opportunities — you may be able to consolidate operations pp y y pfor the short term, or take advantage of unused space in a lesser-used building in the event of facility loss

Threats including those listed under Example Disruptive Threats — including those listed under Example Disruptive Scenarios, natural disasters (floods, hurricanes, tornados, earthquakes), etc.

13

Other Vulnerability Assessment ToolsOther Vulnerability Assessment Tools

Brainstorming Dependency modelingRisk Identification Risk Analysis

Brainstorming Questionnaires Business studies assessing both

i l d l f

Dependency modeling Event tree analysis Real Option Modeling

(V l i )internal and external factors which can influence operations

Industry benchmarking

(Valuation) Decision making under

conditions of risk and i Scenario analysis

Risk assessment workshops Incident investigation

uncertainty Measures of central tendency

and dispersion (descriptive i i ) Incident investigation

Auditing and inspection HAZOP (Hazard & Operability

Studies)

statistics) PEST (Political, Economic,

Social,Technological) analysis

14

Studies)

Total Risk AvoidanceTotal Risk Avoidance How much is too much? Total Replication of all operational systems Example U.S. Postal Service (two of five Data Centers)

Discussion.

15

Minimal Risk AvoidanceMinimal Risk Avoidance Essential Systems

Payroll (time clocks)y ( ) Inventory and Order

Management E-mail (communication)( )

5 Business Days A/R A/P Shipping

I thi i ht? Is this right?

16

Balancing ActBalancing Act Objective: Determine What You Need Total Risk Avoidance Total Risk Avoidance Fully Redundant Systems and Operations

Facilities Inventory Shipping/Receiving

Minimal Risk Avoidance Minimal Risk Avoidance Select functions deemed essential Some disruption in service is acceptablep p

Discussion

17

Planning and Management

Managing the RiskManaging the Risk High-level planning Develop the plan and publish it Develop the plan and publish it Implementation and exercise When is the plan considered complete? When is the plan considered complete?

19

Getting Started: ObjectivesGetting Started: Objectives Your Company’s Business Continuity and Needs Define what business continuity means for your company Define what business continuity means for your company Determine what you need in order to maintain it

Take nothing for grantedg g Review all operational concerns Review both internal and external factors

Discovery process budget Determine a rough order of magnitude budget for the

discovery processdiscovery process Fund it

Discussion: how can this be done?

20

High-level PlanningHigh level Planning Engage management and build the BCP team CEO COO CFO CIO CEO, COO, CFO, CIO Name business and technology leaders as BCP stakeholders

Create a standard Charter for the projectp j Make it an Enterprise project Agree on a single individual as the owner with an understudy Assign a project manager

Isolate Continuity targets Essential business functions (use a risk matrix) Essential business functions (use a risk matrix) Scrutinize pitfalls/darlings/issues

21

Project CharterProject CharterA Project Charter: Lists reasons for undertaking the project Lists reasons for undertaking the project Solidifies objectives and constraints of the project Provides directions concerning the solution Gives names and titles of the main stakeholders Enumerates in-scope and out-of-scope items

D h h l l k l Dictates as a high-level risk management plan Serves as a communication plan Targets project benefits Project Charters are used to: Targets project benefits Authorizes high-level budget

and spending authority

Project Charters are used to: Authorize a project Aid with resource management Focus overall scope

22

Risk Matrix ExampleRisk Matrix Example Helps isolate potential interruptions in service Link this to affected operations service continuity plan

Threat Probability (P) Impact (I) Risk = P x IHurricane 80% 1 80%

Link this to affected operations service continuity plan

% %

Flooding – Internal 80% 1 80%

Severe Storms 25% 1 25%

Flooding – External 80% 0.2 16%

Wind Storm 10% 1 10%

Tornado 10% 1 10%

Terrorism 10% 1 10%

Fire – Internal 10% 1 10%

Fire – External 10% 1 10%

Earthquake 1% 1 1%Earthquake 1% 1 1%

23

Plan ComponentsPlan Components Establish objectives for the plan. Examples include: Run payroll within 24 hours of event Run payroll within 24 hours of event Ship product within 48 hours of the event

Essential personnelp List personnel required for managing the processes List backup personnel, in the event the primary personnel are

di tl ff t d b th tdirectly affected by the event

Calendar/Timeline Create a calendar to pinpoint specific timing of actions Create a calendar to pinpoint specific timing of actions List important dates such as payroll, monthly close, and other

recurring events that can influence the required availability

24

Systems RecoverySystems Recovery What systems are crucial to maintain continuity? Payroll and time clocks? Payroll and time clocks? Inventory and Order management? Shipping and Receiving? Email? All of the above?

B f l f dl Be careful of purportedly autonomous systems Question from the shipping manager:

“Since FedEx has supplied my shipping stations, and they are able to Since FedEx has supplied my shipping stations, and they are able to print shipping manifests, is it okay to go ahead and ship product even if the inventory and fulfillment systems are offline?”

Do you think it’s okay?

25

Do you think it s okay?

Data RecoveryData Recovery Differences between System and Data Recovery Systems are the substrate that manage and present data Systems are the substrate that manage and present data Data carries the information

Data Recovery Point Objectivey j How old is the data that can be recovered? Where is the backup stored? Offsite, or still on-site? When was the last validation that data could be recovered?

Data Recovery Time Objective How long will it take to recover? How long will it take to recover? Will data be recovered to the point just prior to the event? What about data that is lost?

26

Break

Development Implementation Development, Implementation and Exercise

Develop the Overall PlanDevelop the Overall Plan Stakeholders List their area’s essential business functions List alternatives for each business function in a matrix Plan for functions without immediate alternatives

Assess alternatives for strategic functions Assess alternatives for strategic functions Example: if a warehouse goes offline, can product ship from other

warehouses? Include the estimated cost difference. Document a process flow for decision making and emergency Document a process flow for decision-making and emergency

response. Ensure everyone knows who is in charge

E bl h l f f d l d ll Establish a single-point of contact for media relations and ensure all responses are funneled through them

Do not depend on making good decisions inside the tornado

29

Develop the Execution PlanDevelop the Execution Plan Formulate Business Continuity Management Plan Assign point individuals to manage specific areas of operation Assign point individuals to manage specific areas of operation Ensure everyone has a backup

Establish action plans for:p Running day-to-day operations Contacting insurance companies and managing distributions Recovering from the interruption. Include vendors to source

product, infrastructure and services Crisis communications to keep staff updated as changes occur Crisis communications to keep staff updated as changes occur

30

Implementation and ExerciseImplementation and Exercise Train for the exercise:

Notify participants of it, No plan survives the battle field.— Helmuth von Moltke

Stage it, and Implement it!

Implement it in stages:

— Helmuth von Moltke

p g First , work out what you thought would happen Adjust the plan based on what actually happens

Common misconception: you can’t exercise everything in the plan Common misconception: you can t exercise everything in the plan Yes, you can You may choose not to, because of disruption or cost

Choose a cycle for exercise and stick to it Choose a cycle for exercise, and stick to it. Minimal: annual (has drawbacks) Optimal: quarterly

S i l i l ( l ifi l )

31

Super-optimal: continual (may apply to specific processes only)

When is the Plan Considered Complete?When is the Plan Considered Complete? Never Business Continuity is not a Project Business Continuity is not a Project It’s a program It’s an operational processp p It’s a strategy It exists as long as your business does

Each exercise should reflect an updated plan Exercising the plan is like putting on a play Remember your lines Remember your lines

Discussion

32

Return on Investment

Quote #1Quote #1

A Grudge Buy or Providing ROI?“Th f h i i lik l “The fact that most organizations are unlikely to ever use the full extent of the services they have

id f h i h d di paid for has, in the past, made disaster [recovery] something of a ‘grudge buy’ and not

hi h i something that most companies are eager to spend money on.”

ITWEBSeptember 25, 2001

34

Quote #2Quote #2

Probability or Availability?“ h b bili i i d b “…the probabilities associated by corporate management with the occurrence of most di l h h d l f disasters are so low that the expected value of most disaster recovery programs does not begin

h i d i lto cover the costs required to implement(or purchase) them.”

William CappelliDisaster Recovery Program Costing: The Missing Element

from GIGAJanuary 22, 1998

35

Quote #3Quote #3

Bottom Line or Bottomless Pit?“R i d ’ dd hi h“Recovery services don’t add anything to thebottom line, but the consequences of noth i l i l b di ”having a plan in place can be disastrous.”

Dave LinacreManaging Director

IBM Business Continuity and Recovery ServicesIBM Business Continuity and Recovery Services

36

Reasons ROI Is Not CalculatedReasons ROI Is Not Calculated Difficulties in making the calculation Not a financial decision Not a financial decision Lack of commitment to the process Not an important issue Not an important issue Bottom Line:

Should it take a disaster to recover your investment?y

37

Calculating Return on InvestmentCalculating Return on Investment Calculated on projects with fixed costs and an end date Business Continuity starts as a project but becomes an on- Business Continuity starts as a project, but becomes an on

going operational program Cost vs. Time to Ownership: hard to calculate

The project has high development costs up-front The project’s long tail never ends (constant updates as new systems

and changes to business processes occur)

Value Perspective: possible to calculate Complex calculation (host of factors including loss of productivity) Moderate calculation (risk register) Moderate calculation (risk register) Simple calculation (loss by specific system)

Cost of Downtime

38

The Cost of Downtime

Tangible Costs Intangible Costs

Lost Revenue Lost Wages

Lost Opportunity Employee Retention

Remedial Labor Costs Lost Inventory

Loss in Share Value Goodwill

Marketing Costs Bank Fees / Penalties

Brand Damage

Legal Costs

39

Example Costs of Doing NothingExample Costs of Doing NothingAverage Hourly Costs of Downtime

Airline Reservations: Retail Catalog:

I f i l / P i

$ 89,500$ 90,000$ 199 500 Infomercials / Promotion:

Retail Banking: R t il B k

$ 199,500$1,000,000$6 500 000 Retail Brokerage: $6,500,000

40

Business Continuity as an Business Continuity as an Operational Process

Implementing Business ContinuityImplementing Business Continuity What Not To Do? Treat BCP like a one-time project Treat BCP like a one time project Turn BCP into a Compliance Program

What To Do? Weave the program into processes as a forethought, not an

afterthought M k BCP t f th ti l f b i Make BCP part of the operational fabric Validate progress with each Business Continuity exercise Grow Business Continuity as your business grows Grow Business Continuity as your business grows

42

ISO Principles of Risk Managementand Business Continuity and Business Continuity Should create value

BCP creates value by ensuring continued business operation

Should be customizable BCP can be customized as changes in the

business dictateT k i h f Must be an integral part of organizational

processes BCP is an operational process and is therefore

integral to the organization Must be part of decision making

Takes into account human factors BCP ensures that the plan addresses capabilities

of people who can facilitate (or hinder) business continuity

Is transparent and inclusive Must be part of decision making BCP is strategic, and therefore part of

decision making Should explicitly address uncertainty and

assumptions

p BCP is transparent and inclusive by ensuring

that stakeholders are fully involved in every aspect of the process

Is dynamic, iterative and responsive to changep

BCP inherently addresses uncertainty and assumptions

Is systematic and structured BCP is a systematic and structured process

h i h h b i

change BCP changes as the business grows and

expands Is continually improved and enhanced

BCP is an operational process that that grows with the business Should be based on the best available

information BCP is based on the best available information

at its inception, and it is continually updated

BCP is an operational process that continually improves as the business grows

Must be continually or periodically re-assessed BCP is continually re-assessed as changes occur

i th b i

43

at its inception, and it is continually updated in the business.

Questions

SourcesSources DRI International Continuity Central Continuity Insights 2011 Conference Disaster Recovery Resources Disaster Recovery World PilotOnline.com Humbach, Rob “Disaster Recovery: Finding ROI Without the Disaster,” 2003 Humbach, Rob. Disaster Recovery: Finding ROI Without the Disaster, 2003 A Risk Management Standard, AIRMIC, ALARM, IRM: 2002 Wikipedia (various subject articles)

© 2010 — 2011, The Arrington Group, Inc.g pThis presentation has been uploaded to SlideShare as a marketing instrument for the services of The Arrington Group, Inc.

The Arrington Group respectfully requests that you not use this presentation, or specific content from it, without express permission from The Arrington Group, Inc. Therefore, no person, organization or other entity should use this presentation, or specific content from it, as or in their own presentation. If you would like to use aspects of this presentation, or have questions regarding this one, please direct your inquiry to Cody.Shive@The-Arrington-Group.com.

The Arrington Group, Inc. does, however, grant you the right to cite this presentation, or aspects of it, as a bibliographical reference. Therefore, if you use this presentation for your research, please include the following citation:

Shive, Cody. “Business Continuity Planning and Management." The Arrington Group, Inc. SlideShare, 14 Dec. 2011. Web. 14 Dec. 2011.

All diagrams used in this presentation are © The Arrington Group, Inc. Images used are public domain.

45

All diagrams used in this presentation are © The Arrington Group, Inc. Images used are public domain.