BCP - Munich Re

Minimising business interruption lossesBusiness continuity planning – A risk management tool

1

What is business continuity planning (BCP)?

The fact that companies are heavily interconnected these days means that business interruption can cause immense losses. BCP minimises the risk of stoppages.

Recognising risks: Threat analysis

In order to prevent risks, you fi rst have to recognise them and assess them properly. But how?

Identifying areas of weakness: Business impact analysis

What happens if today a supplier fails to deliver, a machine breaks down or a location is destroyed? Do you know your company’s reaction times?

Establishing responsibilities: Business continuity organisation

Clear structures are needed to plan for and deal with crises. Who does what when everything is in turmoil?

Developing crisis strategies: Disaster recovery plans

Emergencies cause havoc. How do you plan for the unthinkable? From the alerting routine to resumption of the business function.

Rehearsing for the real thing: Testing and developing BCP

Only a disaster recovery plan that is constantly practised and developed can provide protection. Does the BCP meet current requirements? Transferring risks: Business interruption insurance

BCP helps minimise losses due to stoppages. What does business interruption insurance do?

Summary

Glossary

Authors, literature and internet links

Contents

3

11

17

19

23

31

33

40

41

44

Munich Re Minimising business interruption losses

3Munich Re Minimising business interruption losses


As production processes become ever more complex, the network-ing between companies and their economic interdependencies increase. Today, a business interruption can therefore also cause immense losses far from where it happens. Effective business con-tinuity planning is therefore all the more important, for small and medium-sized enterprises too.

An interruption to business operations is every company management’s nightmare. Whether e-commerce, fi nancial management or manufac-turing industry is involved, the consequences of an abrupt break in business processes can threaten a company’s very existence. Business interruption can mean losing customers and damages a com-pany’s image with business partners, investors, shareholders and the general public. What is more, liability claims can also arise – for example where delivery dates are not met as a result of a business interruption.

More and more complex production processes and the associated dependencies and economic inter-dependencies are making companies increasingly susceptible to disruptions. Moreover, September 11 and international terrorism have made fi rms drastically aware of just how vulnerable they are. Nevertheless, experience shows that most com-panies are not prepared for business interruptions and have not developed any solution concepts for site-specifi c contingent planning, crisis manage-ment and the resumption of operations following a crisis.

Business Continuity Planning (BCP) is a relatively new method, currently becoming established worldwide, for protecting business functions against serious crises and minimising the conse-quential losses arising from business interruption. The idea of BCP is that it allows companies to man-

age human, operational, technical or environmen-tal risks – from operating error to global catastro-phe – in such a way that operations are restricted as little as possible. BCP strategies and networks help prevent production discontinuities and main-tain operations if need be even under adverse conditions.

Integral company protection

Take the example of an internet computer centre: transferring a gigantic terabyte fl ood of data requires a large number of hardware components, air-conditioning systems, connections, fi re detec-tion systems – and of course a power supply. In order to arm such systems against technical dam-age and interruptions, the market offers numerous options. However, these do not protect the com-pany when, for example, suppliers or customers are suddenly no longer there, or the entire staff at a production facility falls ill as a result of a fl u epidemic.

BC solutions are more complex than conventional safety measures. They are individually and wholly tailored to the specifi c structures, processes and security strategies of the company concerned and meet the requirements that the company itself has set. A reliable BCP model includes all the company’s typical business processes and risks and describes

4 Munich Re Minimising business interruption losses

Fig. 1 Internal and external dependencies of a tractor manufacturer

essential to look at the company as a whole and take account of all corporate levels. It is therefore advisable when drawing up or using a business continuity plan to appoint a BCP Offi cer at senior management level to coordinate one or more teams made up of members from all functional areas and central divisions.

But even a multi-layered concept for crises and catastrophes – which is to say for events that cause uncertainty and panic – must be simple and under-standable. Pragmatism is therefore an essential element of workable business continuity planning.

Incoming cargo by truck Incoming cargo by railroad Outgoing products by truck Outgoing products by railroad

BuildingManufacture

Building Subassembly

Building Final assembly

Building Storage

Quality control

Storage of castings

Storage ofsteel parts

Coordination of ring gear + pinion shaft of rear axle

Rear axle gear subassembly

Shift gear assembly

Coupling assembly

Gear testing

Compressed air supply unit assembly

Front axle subassembly

Engine subassembly

Storage of oils for engines

Storage of engines (custom- made design)

Storage of brakes, hydraulic parts

Storage of driver’s cabins

Storage of body parts

Storage of wheels

Storage of front loader

Hydraulic lines bending machine

Tanks and hydraulics assembly

Draw bar and power lift assembly

Paints, cleaning agents

Tractor storage

Tractor modification and repair

Storage (large parts)

Storage (small parts) (multi-level storage system)

Storage (parts for customer service)

Customer service

Oil tank

Fuel station

Fuel station

Storage for gear production, storage of finished gears (multi-level storage system)

Gear production

in concrete terms how these act in combination with each other: x hours’ shutdown of process y costs z euros of turnover. On this basis, all the organisational procedures are already established with a view to keeping the consequences of risks small.

The holistic structure of BCP includes both a com-pany’s internal factors, such as organisation, infra-structure and information and decision- making channels, and external factors such as customers, suppliers, environment, nature and social setting. In order to establish BCP in a company, it is thus

Production processes are becoming more and more complicated. If one component in the production chain is missing, this disrupts the whole integrated process.

Source: MR Risk Management and Industrial Insurance Workshop

Railroad Production line Internal transportation Incoming cargo, delivery

just in time


The causes and risks of a business interrup-tion can be internal or external. Usually, the occurrence of any one of the above risks is enough to trigger a chain reaction. Loss reconstructions show that mostly a com-bination of unfortunate circumstances is involved.

Cost-benefi t considerations

Looked at in the short term, BCP may appear to be a management task with little operational produc-tivity and a pure cost factor. However, it should not in any way be seen as hindering the core business or making it more expensive. Decision-makers very often misjudge the losses caused by business interruption and underestimate the benefi ts of effective BCP in ensuring a company’s continued existence in an emergency. A lot more information and raising of awareness is required here.

BCP entails costs – that is a simple truth. There is no rule of thumb for the level of costs involved, as they depend on the nature of the possible losses, the potential impact, and the probability of the risks occurring. The individual situation of the company concerned always forms the basis. In principle, however, the following applies: the tighter the safety net and the greater the availability, the higher the costs.

In the risk analysis that is carried out at the start of any BCP, idle production costs and any damage to a company’s image as a result of business inter-ruptions of typical duration (between a few hours and several days) are calculated. These costs are compared with the preventive and reactive expenses involved in BCP. A risk-aware company management will set great store by a BC strategy; the economic investment in this strategy pays off within just a few hours when there is an emergency. For the purpose of BCP is not to over-regulate but to cushion the consequences of any discontinuity. In order to optimise expenditure, checks should be carried out in all cases to see

whether existing continuity tools, for example those of suppliers or other business partners, could be used or adopted.

Business continuity planning aimed at 100% pro-tection against incidents would be unrealistic purely on economic grounds. Redundant, dupli-cated IT architecture constantly running in parallel would therefore hardly be justifi able – unless spe-cifi cally prescribed under company guidelines.

BCP as a competitive argument

BCP should not be underestimated as a share-holder argument either. Just as the certifi cation of quality or environmental management soon proved to be a competitive advantage, guarantee-ing business processes are also increasingly likely to convince shareholders. The graph below shows the results of a Marsh-Oxford study that examined the effects of 15 man-made disasters on share-holder value. The upper curve plots the 250-day course of the shareholder value of a company with a disaster recovery concept, while the lower curve plots that of a company without. In both cases, it can be seen quite clearly that the curve drops immediately after the occurrence. However, the positive effect of the recovery system on share-holder value can already be seen within the fi rst few days. After 250 days, the difference between the two curves is around 25%.

Fig. 2 Internal/External risks (Examples, not exhaustive)

Fire, explosion, damage to machinery

Accidents; Illness;Cash shortage; Sabotage/arson

Electrical/electronic damage;

Negligence of employees

Delivery delay

Strike

Insolvency of clients

Pandemics

Further techno-logical development

Computer viruses

Natural hazards

Shortage of raw materials

Product liability

Third-party liability claims

Power failure


6

Fig. 3 Development of a company’s shareholder value with and without a disaster recovery concept after business interruption.

Cumulative abnormal returns (CAR) in %

Shareholders reward BCP: 250 days after an incident, the shareholder value of com-panies with a disaster recovery concept is, on average, 25% higher than that of com-panies without.

Source: RIMS Risk and Insurance Management, Society/2002 (Marsh/Oxford study of 15 man-made catastrophes)

Development of the shareholder value of a company with a disaster recovery concept

Development of the shareholder value of a company without a disaster recovery concept

20

15

10

5

0

–5

–10

–15

–200 50 100 150 200 250

Trading days after the event

Is BCP also advisable for small and medium-sized enterprises?

The good news for small and medium-sized fi rms is: effective and appropriate BCP need not be expensive. As small and medium-sized enterprises are less complex than large ones, and they have fewer production facilities and therefore also fewer business processes and dependencies, the cost of protecting them is correspondingly lower. On the other hand, it is precisely in such fi rms that even minor disruptions to business processes may threaten their very existence. This is because they do not have the necessary resources to be able to absorb business interruption losses.

For example, for small or medium-sized enter-prises, a product recall can very quickly mean pro-duction downtime and thus business interruption. What can be done in such companies to get pro-duction restarted quickly?

When implementing BCP, these fi rms should not spend too much time dealing with probability analy-ses of all the risks but should concentrate on key points. Smaller enterprises can save themselves considerable time and money if, in workshops, they carry out risk analyses that are tailored to their company and, in so doing, determine the possible effects on their business.

Statutory requirements and guide-lines

BCP is a suitable crisis intervention tool not only from the point of view of shareholders (image, rep-utation, liability claims), employees (job security) and customers (reliability, proximity to the market). Statutory requirements, binding commitments and standards also demand transparent risk manage-ment.

The German Corporate Control and Transparency Act (KonTraG) was introduced in 1998 as an early-warning system for crisis potentials and crisis prevention. For the fi nancial sector, in Germany Section 25 of the German Banking Act (KWG) calls for “appropriate safety measures”. In its “Min-imum requirements for the conduct of banks’ commercial transactions”, the German Federal Financial Supervisory Authority (BAFin) prescribes a written disaster recovery plan and calls for pro-visions against personal accidents and software errors, as well as alternative solutions that can be implemented in the short term in the case of stop-pages due to technical factors. At the international level, “Basel II” for example, but also the Federal Reserve in the United States and the UK’s Financial Services Authority (FSA), which has legislative powers, lay down special guidelines.




The priorities for maintaining business continuity can then be established on this basis. For an optimum business continuity strategy, small and medium-sized companies set themselves the following tasks:

– Ascertaining why an activity, a procedure or a process is important for the enterprise

– Identifying risks that are signifi cant– Determining the probability of occurrence of

these risks and the possible extent of any resulting loss

– Documenting measures that are to be taken in the event of a business interruption

– Training staff to enable them to proceed correctly when faced with specifi c hazards

– Reviewing, adapting and testing crisis plans regularly

Outsourcing

Drawing up a business continuity concept is a typ-ical case for outsourcing. There are now numerous providers of business continuity services. The mar-ket is growing steadily, and many management consultancies have “discovered” BCP for them-selves. The quality of the wide range of consul-tancy services on offer varies considerably, how-ever, and references should therefore be sought.

According to one of the best-known consultancies, the service costs for business continuity, especially in the area of IT, have fallen annually by an average of 20%. From today’s standpoint, contracts with a maximum term of two years are therefore recom-mended. Since, in the relatively complex or some-times even confused market, it is not easy for com-panies to fi nd suitable outside support or a provider service, any expense incurred in connection with a change in the decision about the contract term should be included.

BCP step by step

Business continuity planning can be divided roughly into two areas of responsibility: The fi rst includes all planning aimed at minimising risk and preventing business interruption. The second con-cerns the planning of all measures that are to be taken following an emergency in order to maintain business operations or to restart them following a business interruption.

There are several BCP standards that companies can take their bearings from for their business continuity planning – for example the systems approach set out in DIN ISO 17799 or its British “precursor”, BS7799-2:2002. These standards try to cover an information security management system in a similar way to the defi nitions in a standardised quality assurance system or an en vironmental management system. ISO 17799 has not yet been generally recognised as a standard, however, and is heavily criticised in some specialist circles.

Standardised BCP solutions

– DIN ISO 17799– BS (British Standard) 7799-2:2002– HB 221:2003 Business Continuity Management from Standards Australia– FFIEC (Federal Financial Institutions Examination Council); www.ffi ec.gov– NIST (National Institute of Standards and Technology); www.nist.gov– NFPA 1600 (National Fire Protection Association); www.nfpa.org– ISO/TS 16949 Quality Management Systems in the Automotive Industry,

Point 6.3.2 Disaster Recovery Plans; The ISO Survey of Certifi cations 2005 www.iso.org

– DRI (Disaster Recovery Institute); www.drii.org– PAS 56 (Publicly Available Specifi cation); new BS25999, The Business

Continuity Institute; www.thebci.org– BSI (British Standards Institution); www.bsi.org.uk


Fig. 4 The Australian standard

Because of its clear, well-organised structure, the newly devel-oped Australian standard HB 221:2003 offers a very good basis for the structure of a business continuity plan. It divides the process of business continuity planning into nine steps, which are explained below:

Munich Re Minimising business interruption losses8

Step 1: The start of any BCP involves raising the company management’s awareness. A business continuity strategy and BC guideline are then developed. Step 2: Examine the company as a whole for conditions and processes that are critical for business inter-ruption (threat analysis)

Step 3: Determine how long the company can continue to operate without its existence being jeopardised if critical areas fail (business impact analysis; BIA)

Step 4: Draw up a detailed strategy for site-specifi c contin-gent planning, crisis management and resumption of operations (recovery).

Step 5: Determine all the factors needed to be able to proceed according to the individual plans. These always depend on the individual situation in the enterprise, and especially on the current organisa-tional and internal structure.

Step 6: Implement the strategy: develop easily under-standable, pragmatic continuity plans and draw up documents fo the strategy chosen in each case.

Step 7: Work out an emergency communication strategy for the company, as well as for customers, target groups and suppliers. The company’s communica-tions or PR department usually takes on this task. Should the company not have such a department, an outside agency should be engaged to do this.

Step 8: Maintain, audit and practise the relevant disaster recovery plans under real conditions if at all possible.

Step 9: Integrate plans into the daily business, so that they can be implemented at any time. Implementation of the agreed strategy is the last link in the chain of a properly functioning business continuity plan. The management of any business recovery is laid down precisely in documentation, usually known as a “disaster recovery manual”. This will contain, for example, names of people, alerting lists and alerting levels, facilities, equipment and much more in checklists, plans, address lists, decision aids, etc.

BCP Life Cycle

Commencement

Risk & Vulnerability Analysis (Threat Analysis)

Business Impact Analysis

Response StrategyResource Interdependency Requirements

Continuity Plans for the chose Strategy

Communication Strategy

Training, Maintaining & Testing Plans

Activation & Development of Plans

9

1

2

3

45

6

7

8



Fig. 5 Practical examples

Internal risk from machinery breakdown (MBI)

The following diagrams show examples of how business interruptions can arise.

External risk from SARS

Employees as private users at home Direct transmission

of virus through data media

Enterprise

Normal worldwide exposure

Limited risk Firewall

Origin of the virus

By e-mail

Increased exposure on account of poor risk awareness

Enterprise

Normal worldwide exposure

Local SARS-exposed branch, Commercial traveller, Visitors from SARS area, Tourist in SARS-exposed area

Increased exposure that, in the absence of crisis management or risk management measures, can affect the headquarters

SARS area of origin

Warehouse

Incoming goods department

Supplier

Forklift truck

Internal transport

Production, assembly

Machinery break-down in the com-pany’s only production line, replacement time fi ve months

MBI BI

Manufacture

Quality assurance

Packing

Distribution

– Business interruption– Loss of market– Financial losses– Liabilities– Payment of wages and

salaries– Bankruptcy– Shareholders– Media, press, image

– Crash, failure of IT– Business interruption– Stagnating, falling sales– Financial losses– Loss of market shares– Insolvency in the case of

correspondingly long downtime

– Shareholders– Press, media– Loss of image

– Closure of business by authorities

– Business interruption– Stagnating, falling sales– Financial losses– Loss of market shares– Possible temporary loss

of staff– Loss of know-how– Shareholders– Press, media– Loss of image

External/internal risk from computer viruses




All BCP starts with a threat analysis tailored to the company. This involves examining the business as a whole for conditions and processes that are critical for business interruption. The results are used to assess the impact of specifi c outages and establish business recovery priorities.

Threat analysis is understood to mean an indi-vidual, holistic risk analysis of an enterprise. All threats that increase the probability of a business interruption occurring are documented in a risk profi le and assessed individually and in a com-pany-specifi c way. The risk profi le makes it pos-sible for the management to assess the potential risk situation in a strategic way. The more critical that business processes are in terms of time, turn-over and profi ts, and the more intensive the IT infra-structure, the more imperative it is to incorporate them into the BCP concept.

“Risk frequency” and dependence on specifi c infra-structures are also important variables for the cost-benefi t analysis of any BCP. The less one can do without a specifi c infrastructure, the higher the cost of having this available in an emergency will be. Safeguarding the entire infrastructure, however, would be so expensive that it would be unrealistic to do this in practice. It is therefore a case of sens-ibly weighing the risks according to the company’s specifi c interests against the investment needed to safeguard them – for example the probability of a power failure and its duration against the cost of an emergency power generator. Certain defi ned re sidual risks will undoubtedly have to be accepted in any case.

The following methods can be used to determine an enterprise’s weak points:

Checklist

The conditions and processes within an enterprise that are critical as far as business interruption is concerned can be examined using a checklist, for example. This usually involves asking the follow-ing questions:

– What impact would a disaster or a system failure have on the enterprise (e.g. fi re, accident, act of terrorism, power failure, failure of deliveries)?

– What consequences would the failure of critical functions in the enterprise have?

– How long can a company cope with outages in the business as regards customers, partners and markets?

– What impact would an outage (per defi ned time) have on customers, suppliers and employees?

– Are there already suitable solutions for control-ling or minimising risks?


AgeMaintenace

Replacement partsReplacement time

Parts supplierAlternative supplier

Machinery

OrganisationEAN

TraceabilityLists of contacts

Buyers of the productsDistribution centres

Recall of defective products

Liability situationFirewallViruses

Contents of web pagesHardware

Internet security

New legal situationEU liability

Initiation RegulationPolitics

Duty to make premises safe for persons/vehiclesVisitors

Workforce Self-propelled machines

Public liability

Fire extinguishersFire control plan

DrillsFire protection

Personal protective kitLoss prevention

Professional associationSafety at work

SaleLoss

Product stockpileCustomer

WaterElectricityGas, fuel oilCommodities and raw material

Supplies

Risk management toolStockAge of vehicle fleetMaintenanceIncentive system

Motor vehicle fleet

OrganisationBCMPress

Crisis management

Liability of management and board membersExternal consultantsD+O

Management

Soil, air, waterEmissions proctection officer

Plant safetyLiquid media

Solid and gaseous media

Emissions

NumberSupply chain management

Malfunction

New installationsNew softwareDebugging

Technology

External capacities

CrisisBusiness interruption

QualityEnvironmental compatibilityDurabilityRecall organisationMedia/press contactsInsufficient product salesMarket

Products

Canteen, cateringLoss of know-how

Plants

Operation resources

Human resources

JITExplosion/disruption of operations

ProductionMedia lossesSafety at work

AccidentsDriver trainingLoss of media

Forklift trucks

Incoming goodsOutgoing goodsQuality assuranceInternal transport

Environment

Suppliers

Business interruption risk analysis

The risk map gives an overview of a company’s entire potential risk situation. The relationships between the individual risks also become visible.

Fig. 6 Example of a risk map

Risk mapping

The risk-mapping method utilises the work tech-nique of mind mapping. This makes it possible to visualise a company’s risks graphically and to rep-resent the relationships that exist between the indi-vidual risks in reality. Risk mapping is therefore eminently suitable for identifying weak points with respect to business interruption.

Analysis of the supply chain

The progressive automation, specialisation, ration-alisation and integration of modern industry has led internal and external dependencies of operat-ing processes, products and services to become more and more serious. In order to better identify and quantify threats and, above all, critical bottle-necks in business processes, “dependency risks” in particular must be looked at. Especially medium-sized fi rms with a lot of equipment and numerous suppliers, customers and distribution channels should subject their supply chain to regular, serious risk control.

The following important factors and questions should be taken into account in order to safeguard the supply chain (supply-chain risk management):



Table 1 Safeguarding the supply chain – Example of a dependency analysis

Key suppliers Location Gross exposure Max. period of Net exposure Loss-minimisation measures in €m (1) interruption in €m in month (2)

1 D 500 4 167 Production moved to supplier’s 2nd location

2 GB 200 6 100 Production outsourced to company X

3 I 80 3 20 Changeover to another supplier

4 A 50 8 33 Changeover to another supplier

– Identifi cation of key suppliers and customers: degree of dependence with respect to total turnover (maximum loss of earnings, period of interruption for own company)

– Preparation of a risk portfolio for both the supply chain and the customer chain

– What measures (alternatives) can be taken to maintain one’s own business in the event of loss of suppliers or customers (alternative suppliers, disaster recovery planning)?

– Is temporary relocation to other production units with spare capacity possible?

– Have any contract penalties (so-called “force majeure clauses”) been agreed?

– What risks can be insured, and how? (see Sec -tion 7: “Transferring risks” in this connection.

Risk matrix

In order to show the company’s complete risk situ-ation in graph form, the risks are entered in a risk matrix according to their loss amount and proba-bility of occurrence. The probability of occurrence of a risk is plotted on the X axis and the maximum amount of loss on the Y axis. In this example, both axes are subdivided into low, moderate, high and very high. Currencies could also have been used equally well.

The risk matrix is divided into two areas: one con-sists of the risks that are acceptable to the enter-prise, the other of the risks that are unacceptable. The aim of risk management and business continu-ity strategy is to convert all unacceptable risks into acceptable ones, using loss-prevention and loss-

This diagrammatic representation of the true value chain clearly shows an enter-prise’s “key dependencies”.

Fig. 7 A company’s extended value chain

Once the key dependencies (e.g. the key suppliers) have been identifi ed, it becomes possible to put a fi gure to the maximum exposure, taking account of the possible loss-minimisation measures.

Subsupplier

Subvendor

Subcontractor

Key supplier

Key vendor

Key contractor

Primary facility Internal customer

External customer

External customer

External customer

(1) As a proportion of the company’s total turnover.

(2) Loss-minimisation measures already taken into account.


minimisation measures. Here, particular attention should be paid to restoring business activity as quickly as possible. What technical, organisational or other measures and aids are used to do this will depend on the company’s individual situation. It will not always be possible, however, to move all the risks into the acceptable area (as shown above). The smaller the risk of a loss occurring and/or the amount of loss, the smaller will be the probability of occurrence of a business interruption and any associated company crisis.

Risk analysis in combination with risk evaluation

The model below offers one way of analysing risks that are critical as far as business interruption is concerned. Its major advantage is that the risk can be presented at a glance:

The level of lost production depends on the dura-tion of the business interruption and determines the magnitude of the crisis. At the start of the crisis, the business interruption gradually becomes apparent and fi nally crosses the point of no return. From there on, the crisis assumes its characteristic course, with the subsequent business interruption and associated production discontinuity (business interruption gap or BIG). Finally, the company man-ages to get the situation under control again and return to the initial level of production. The end of the crisis is also known as the “RAG” (return after the gap) point.

Plan of action for reducing and c ontrolling risk

Once the risks have been identifi ed and evaluated, it is advisable to draw up a list of measures. This will show the company-specifi c areas of weakness of any business interruption in a systematic way. Each weak point is given a number and is described together with the cause and the measures to be taken. In order to be able to proceed as effectively as possible, the measures are rated according to their effectiveness (low, moderate, high, very high) and prioritised (short-, medium-, long-term). Finally the costs to be expended are to be esti-mated. The risk manager must determine the totals for the relevant measures in consultation with the persons responsible in the departments con-cerned. To ensure that the plan of action is also implemented effectively, it is important to appoint an offi cer with specifi c duties and the right to issue instructions.

At the end of the threat analysis, the following key questions arise for the business continuity management.

– Are the critical functions and processes in the company defi ned?

– Does useful documentation exist on the fre-quency, scale and causes of business interrup-tions?

– Do comprehensive disaster recovery plans exist in which the necessary strategies, data and operating resources are also laid down for the recovery of the business?

– Are the IT and communication systems suffi -ciently protected, so that they can resume oper-ation in the required time following incidents?

– Are there plans to test and update the BCP regularly by means of practice drills?

This risk matrix shows three risks that can trigger a business interruption independ-ently of each other: Risk 1 concerns the recall of defective products, Risk 2 a fi re in the main production facility, and Risk 3 the loss of the main supplier.

Fig. 8 Example of a risk matrix

Lossamount(y axis)

Very high

High

Moderate

Low

Low Moderate High Very high

Probability of occurrence (x axis)

32

1

213

Acceptable

Unacceptable

Line of acceptance

Remaining residual risk

Risk

Munich Re Minimising business interruption losses14



Event Critical Business Business Mitigating Target Loss amount Probability business impact impact actions recovery After After point analysis improvement improvement of the risk of the risk 1 No Business Not Trouble- Fastest Very high HighRecall of organisation interruption, available shooting possible Moderate Highdefective chart available as cause of fault with external resumption products not found consultants of production 2 Fire protection Production Not Restoration Fastest Very high Very highFire in main not checked discontinuity available of production possible Low Moderateproduction for indefi nite resumption facility period of production 3 Threat to Production Not Short-term Fastest Very high HighLoss of company’s discontinuity available replacement possible Low Lowmain supplier existence, and business of main resumption loss of interruption, supplier, of production customers damage to PR campaign image

Fig. 9 Model of a risk analysis in combination with risk evaluation

The measures to reduce a company’s risks are determined and prioritised with refer-ence to the hazard potential of individual business processes. Based on this list of measures, the steps to be taken can be fol-lowed individually and checked for their effective implementation.

Risk Identifi cation Risk evaluation Risk reduction Risk control

No. Weak Cause Amount Probability of Measure Effectiveness Priority Costs Responsibility point of loss occurrence

1. Low Low Low Immediate Low Name

2. Moderate Moderate Moderate Medium- Moderate term 3. High High High High High

4. Very high Very high Very high Long- Very high term

Table 2 Risk reduction measures

The diagram clearly shows the time charac-teristic of the business interruption and pro-duction discontinuity in association with the level of lost production.

Start of crisis During the crisis End of crisis Time characteristic of the business interruption/production discontinuity

Business interruption gap (BIG)

Point of no return

Return after the gap

Behaviour curveof the production discontinuity

Level of lost production



Identifying areas of weakness: Business impact analysis

What happens if ...? The business impact analysis is used to deter-mine what happens when a specifi c business function, a machine or a production process fails. What monetary loss arises? And how long would it take to get the business up and running again?

The business impact analysis (BIA) is the corner-stone of BCP, as it forms the basis of the further recovery strategy. In order to determine the rele-vant business processes at risk of failure and describe them in detail in terms of their importance and impact, questions are put to the senior man-agement. Based on the information received, an analysis is carried out to ascertain how long the company can continue to operate without its exist-ence being jeopardised if areas identifi ed as being at risk fail. Here, any interdependency and contin-gent losses (see Glossary) arising from the stop-page must also be taken into account.

In order to ensure that business functions and processes are available, the required condition and the actual condition are compared with each other and any weak points identifi ed. The investigations are based on the qualitative and quantitative loss experience in relation to the non-productive time. For areas in which a need for action has been established, the resources needed for disaster recovery are determined, and emergency con-cepts, transitional procedures and disaster recov-

ery strategies worked out. The BIA can also include initial proposals on how to solve the problem (e.g. with regard to contingent workplaces, emergency staff or possible third-party production).

The business impact analysis results in statements about:

– Loss potentials – Restart times for critical business functions, and

also – Emergency staff, infrastructure and contingent

workplaces

Performance of the business impact analysis is followed by:

– Consolidation of the results An overview of the critical business functions and

their restart times; an overview of the contingent workplaces that will probably be needed; a defi ni-tion of a standard contingent workplace

– A draft fi nal report with proposals on how the various disaster recovery plans are to be imple-mented

Table 3 Restart times of essential business units and functions after a stoppage

Necessary Reaction time in hours Alternative solution resources possibility? 0 to 2 2 to 8 8 to 24 24 to 72 72 to 120 120 to 240 > 240 If so, what?LocationBuildingMachinePersonnelPC/software/e-mailPhone/mobile/MDAPDAFaxPagerCopierOffi ce spaceArchiveInput infoOutput info

As a prerequisite for company-specifi c emergency preparedness, it is necessary to clarify the following: What resources are needed for the business process? If individ-

ual production units or processes should fail, how long would it take for a replace-ment to be made available or for the situ-ation to be remedied?



Effective business continuity planning concerns all divisions of a company and requires cooperation at all hierarchy levels. Only a clearly structured business continuity organisation can ensure that strategies are developed, established, maintained and properly implemented in an emergency.

Care should be taken to ensure that all the people involved in preparing and maintaining the busi-ness continuity plan are well acquainted with the company’s infrastructure and processes and suited to the tasks in question (e.g. evacuation or IT oper-ations). It is also vital that the responsibilities within the BC process as a whole are clearly defi ned at all times.

Make-up of the BC team

The top position in the BC management should be held by a representative of the highest company level, as such a person can optimally motivate employees at all company levels: BCP is a matter for the boss. The BC core team should be made up of representatives from the most important and most at-risk areas of the company. This ensures presence and understanding for BC policy, as well as for the associated planning and its implemen-tation in an emergency. The BC core team works strategically, defi ning the impact of an incident and managing all the continuity activities.

Besides the management team, individual teams can take on more tightly defi ned tasks: a crisis team could operate locally and objectively in the closest possible proximity to the emergency while emergency service teams were safeguarding the infrastructure and recovery teams were already starting with specifi c disaster recovery activities. A “modular” organisation guarantees transparency. Flexible manning of the team is also possible: in order to incorporate special knowledge and take account of the various business units and possibly even include several locations, experts may sup-port the teams as required. Instead of a central BCP organisation, it is also possible to have BCP that is organised in a decentralised way. What system is preferred will depend entirely on the practice at the company in question.



Tasks of BC management:

– Loss-prevention research and scenario planning – Enquiring about and ascertaining crisis-relevant information

in the individual divisions in order to establish exposure to accumulations

– Comprehensive, international organisation of BCP – Constantly adapting and reviewing BCP responsibilities within

the company’s individual organisational units and the global organisation

– Defi ning, refi ning and adapting the standards, strategies and general guidelines that are to be applied

– Authority to issue instructions to all the units concerned with regard to BCP topics

– Safeguarding, managing and coordinating the worldwide BCP organisation (with respect to both loss prevention and loss minimisation)

– Advising the Board of Management or the General Manager on all BCP matters, including in crisis situations

– Consulting – Drawing up the business continuity guidelines – Reporting to the Board of Management or the General

Manager

Reachability in a crisis situation

The most modern aids should be used to ensure that members of the BC organisation and the crisis management teams (CMTs) can be reached in an emergency. Multimedia digital assistants (MDAs) guarantee optimum communication, as they can be used like a mobile phone but are also able to receive, edit and forward e-mails with attachments. A prerequisite for the operational use of MDAs is, of course, that the users in question are online.

In a crisis situation, all the people named in the alarm plan are immediately informed about the situation. This happens automatically with the help of special software and an announcement text over the phone. The people are requested to do as they did in the case of emergency XY, or to make their way to the crisis centre immediately.

The virtual BC matrix organisation

In order to safeguard the BCP process within the company, the BC Management should set up a virtual BC matrix organisation. Based on the exist-ing personnel structure, this is made up of those responsible for site-specifi c contingent planning, crisis management and business recovery at the individual locations.

Global business recovery coordinators are respon-sible for business recovery planning in the relevant divisions. Assigned to these in each company loca-tion are local business recovery coordinators, who are responsible for local business recovery plan-ning. Incident coordinators take care of site-specifi c contingent planning and local crisis management planning.

The global business coordinator belongs to the fi rst level of management below the Board of Management. The local business recovery coord-inator is the business unit’s representative at the location, for example the Branch Manager or the member of the Board of Management of a sub-sidary domiciled there. The incident coordinator can be the head of the local facility management unit.

Reporting involves:

– An annual situation report on the current status of the BC organisa-tion within the company

– A regular report on the BC organisa-tion, the BC master plans and the MEAD (maintenance, exercising, audit and development) area

– Exposure analyses – A report to the company manage-

ment



Crisis centre

There should be several crisis centres. Mostly there are two, but some management consultants rec-ommend up to fi ve. These should be spatially sep-arated from each other so that they will not all be destroyed in the event of an explosion, for ex -ample. Wherever possible, it is advisable to set up at least one crisis centre outside the operating site. The crisis centres must be accessible round the clock and big enough to hold all the members of the crisis management team, as well as having rest rooms, toilets, washing facilities and food and drink. To enable the crisis management team to work, crisis centres need to have the following technical equipment:

– Several computers and relevant software – Internet access and the possibility of accessing

Reuters Insurance Briefi ng, Bloomberg, etc. – Photocopiers – Disaster recovery manual – Radio – TV – Telephones – Fax – Mobile phone, MDA – Press Room – Secretariat

Clear responsibilities are the precondition for acting effectively in a crisis. The sche-matic diagram of the BC matrix organisation shows how the individual BC management tasks and functional executives are linked to and depend on each other.

Head Offi ce

Incident Coordinator Group Location A

Global Business Recovery CoordinatorDivisional Unit A

BCM

Chairman of the Board of Management/ General Manager

Local Business Recovery CoordinatorDivisional Unit A

Local Business Recovery CoordinatorDivisional Unit B

Incident Coordinator Group Location B

Global Business Recovery CoordinatorDivisional Unit B

Local Business Recovery CoordinatorDivisional Unit C

Incident Coordinator Group Location C

Global Business Recovery CoordinatorDivisional Unit C

Fig. 10 Example of a virtual BC matrix organisation



Emergencies cause panic. In order to act properly in crisis situations, all measures must be well planned. With a view to minimising loss and ensuring that a business is up and running again as soon as possible, a disaster recovery manual lays down, step by step, the procedure to be followed – from the alerting routine to resumption of the business function.

When it comes to developing a business continuity strategy, no company has to start completely from scratch. In most cases they will already have process manuals based on certifi cations, or legally prescribed disaster recovery plans (technical instructions, fi re protection, explosion hazard). Other planning bases can be: the internal business plan defi ning the business functions, documenta-tion on business processes (such as quality assur-ance and environmental management manuals), and the disaster recovery plans of the company’s operating units (e.g. IT) and external partners (suppliers). Nevertheless, the entire disaster recov-ery planning operation, including the drawing up of standards and defi nitions, entails not inconsid-erable expense and can take between three months and two years. In the case of complex organisa-tions and functions, it probably makes sense to carry out the development and implementation step by step for individual business units. The pro-cedure will then differ only slightly, regardless of whether the overall structure of the BCP produced in this way is complicated or simple. Analyses of business processes and the economic impact on occurrence of risks form the basis for the systemat-ics of disaster recovery planning.

The result should be a group-wide business con-tinuity guideline that defi nes the key data of BCP and which the entire Board of Management approves as a binding requirement. The BC guide-line will include the business continuity organisa-tion, the business continuity master plan and all the measures for maintaining, exercising, auditing and developing the BCP.

Disaster recovery manual

The disaster recovery manual contains all the doc-umentation that may be of importance in the event of an incident. This means, in particular, the BC master plan, which includes the site-specifi c con-tingent plan, the crisis management plan, the busi-ness recovery plan and the IT recovery plan. The disaster recovery manual also sets out the BC organisation in detail, with alerting lists, alerting levels, facilities, equipment, etc. being presented as checklists, plans, address lists and decision-making aids.


Planning tools

In view of the complex correlations and fl oods of data found in companies nowadays, it is essential to use computers to document BCP. In order to draw up a disaster recovery manual, the text retrieval, log and graphics functions in particular are needed. A large range of suitable programs are now avail-able on the market. In the US, the recovery planner and systems produced by Strohl, for example, are used (the designation is incomplete and without rating). Network-based document management tools offer an alternative to these, but they have the disadvantage that some of them are extremely expensive. Standard offi ce software is the cheapest and most widely-used solution, allowing docu-ments to be edited and updated quickly and effec-tively. The key to success here is the way that the BCP structure is systematically built up. It is impor-tant that the systems should be easy to use and that one person can be appointed who knows the system’s possibilities and limits and can ensure its operability.

However, processing data electronically is no sub-stitute for a manual. The most suitable form of manual is a loose-leaf collection that can easily be updated. With a loose-leaf collection, however, care must be taken to use highly stable paper that will not become tattered. Standard-weight paper would defi nitely be too thin.

Disaster recovery manual requirements

The documentation in the disaster recovery man-ual ensures that, in the event of an incident, all activities are carried out at the right time, in the right sequence, by the designated persons and with suitable means. The manual must therefore be

– user-friendly and easy to understand, – practical (checklists), – easy to update (e.g. from an online version on the

company server or from an external operator’s “black sites”), and

– handy at all times.

It is important that it should be worded concisely and in clear language, so that even people with only slight knowledge of the facts can implement the crisis plan quickly under extreme conditions.

Instructions should be provided in the form of checklists. Cross-references that cause the reader to lose valuable time leafi ng through the manual are to be avoided, as are long-winded background information and arguments. The text should be divided into short blocks. Markings like points and colours serve to guide the reader’s eye. Diagrams, organisation charts and sketches help make things easier to understand. A note at the start of the Disaster Recovery Manual should indicate where other copies are kept – preferably at more than one, largely protected place, alternative locations, or in the private sphere.

Business continuity master plan

The master plan is made up of the site-specifi c con-tingency plan (SSCP), the crisis management plan (CMP), the business recovery plan and the IT recov-ery plan. The detailed plans are drawn up in work-shops together with areas of a company that are particularly critical in the event of a business inter-ruption.

Site-specifi c contingency plan

A site-specifi c contingency plan that takes account of all the buildings is to be developed for each of the company’s locations. The site-specifi c contin-gent plans should be drawn up following a uniform structure defi ned by the BC management but adapted to the individual conditions of each loca-tion. The site-specifi c contingent plan could be structured as follows.


Crisis management planSite-specifi c contingency plan (manual)

Table of contents1 Introduction2 Overview of disaster recovery organisation2.1 Overview of crisis management team2.1.1 Description of crisis management team2.1.2 General procedure when crises occur2.1.3 Alerting routine2.1.4 Crisis centre 2.1.4.1 Emergency equipment2.2.2 Overview of operational management2.2.1 Description of on-scene team3 Information fl ow3.1 Alerting procedure3.2 Escalation levels and their trigger3.3 Assessment of the event3.4 Classifi cation form4 Flow charts4.1 Bioterrorist attack fl ow chart4.2 Bomb threat fl ow chart4.3 CO2 alert fl ow chart 4.4 Burglary/property damage fl ow chart4.5 Fire fl ow chart4.6 Natural event fl ow chart4.7 Evacuation fl ow chart4.8 Computer centre evacuation fl ow chart4.9 Technical fault fl ow chart4.10 Accident/epidemic fl ow chart


When an incident occurs which makes the com-pany’s normal conduct of business impossible or impairs it considerably, the previously appointed crisis management team is summoned. In the case of global companies, a local crisis management team is to be set up for each location to serve as an interface to the head offi ce. Depending on the com-pany philosophy, responsibility for the immediate initial measures in the event of an incident (e.g. fi rst aid, fi re-fi ghting, evacuation) lies either with the local branch or – to avert global economic loss by the company in the case of image crises, for example – with head offi ce.

Where the head offi ce has a crisis management plan, this can serve as a basis for global crisis man-agement with a higher-ranking global crisis man-agement team at the head offi ce location. The crisis management plan includes the following:

a. The escalation criteria and crisis management teams

b. Cooperation between local crisis management teams and the crisis management team at head offi ce

c. The crisis management manual

Re a) Escalation criteria and crisis management teams

The escalation criteria regulate cooperation between the local crisis management teams and their counterpart at head offi ce. In practice, unclear regulations often hamper the effectiveness of crisis management. It is therefore important to specify the precise time when head offi ce must be informed or frequented. For this reason, with inci-dents it has proved useful to differentiate between

“incidents”, “emergencies” and “crises”. The clear defi nition creates a common basis for cooperation between local branches and head offi ce, as all those involved know what stage they are at and what steps have to be taken next.

An “incident” is when the prerequisites for the business activities in an area of the relevant loca-tion are adversely affected for a short time. This would be the case, for example, where all the PCs in a building were down for several hours, with the result that nothing could be produced. An inci-dent is eliminated immediately and permanently within the line as part of incident management.

An “emergency” is when the prerequisites for vital or important business activities in an area of the relevant location are adversely affected for a lim-ited period of time. This would be the case, for example, where a hall was unavailable for fi ve days as a result of a small fi re and the associated clean-up operations. An emergency is established and dealt with by the local emergency management team.

A “crisis” is when a sudden situation brings the company to the brink of its capacity or poses a con-siderable threat to its very existence. The normal organisational and decision-making structures are then no longer suffi cient to bring the situation under control. A crisis would be, for example, where production location X was completely wiped out by a locally occurring natural disaster. A crisis is defi ned as such by the local crisis management team (see fi gure 12).

As the diagram shows, the crisis management team is made up of the company’s most important departments, thus allowing it to act quickly and unbureaucratically for the benefi t of the company that has found itself in a crisis situation. In this case, the head of the crisis management team is joined in the situation centre by the Department for Internal and External Communications, Facility Management, which manages building services and is concerned with implementing everything relating to safety within the company, IT as the backbone of the company, Human Resources to manage employees, and the business units that are reponsible for technical input. Administration takes care of all the organisational and secretarial work required to maintain the crisis management team’s operational capability.

Where there is a crisis or business interruption at head offi ce, the head offi ce’s crisis management team then goes into action. This crisis manage-ment team is also mobilised as soon as the local crisis management team is no longer able to handle a crisis at one location and it threatens to develop into a global crisis (see fi gures 13 and 14):


5 Escape and rescue routes plan for building XYZ6 Building parameters XYZ7 Checklists7.1 Bioterrorist attack/Operational management

checklist7.2 Bomb threat/Operational management checklist7.3 Burglary/Property damage/Alarm tracer checklist7.3.1 Burglary/Property damage/

Operational management checklist7.4 Fire/Alarm tracer checklist7.4.1 Fire/Operational management checklist7.4.2 Fire/Engineering checklist7.4.3 Fire/Shift manager checklist7.5 Natural event/Alarm tracer checklist7.5.1 Natural event/Operational management checklist7.6 Evacuation/Operational management checklist7.7 Technical fault/Alarm tracer checklist7.7.1 Technical fault/Operational management checklist7.8 Accident/Epidemic/Company medical

offi cer checklist7.8.1 Accident/Epidemic/Operational management

checklist8 Appendix

Example of a site-specifi c contingency plan


Re b) Cooperation between the local crisis manage-ment teams and head offi ce’s crisis management team

The crisis management team is in charge of and responsible for all activities involved in crisis man-agement and emergency operation until the nor-mal conduct of business has been restored. It bears responsibility for decisions and the resulting meas-ures and consequences. In the cases of crises that cause business interruptions, the following basic-ally applies:

– The head offi ce’s CMT is authorised to issue instructions to all the business units, Group sub-sidiaries and branches affected. The local CMTs are authorised to issue instructions within their remit.

– Each CMT defi nes the areas and/or business processes that are affected by the crisis.

– The CMT is concerned only with the exceptional situation of the areas or processes affected; otherwise, the competence of the line organisa-tion remains.

Whenever an incident or emergency occurs in the business unit, the business recovery coordinator or head of operational manage-ment at head offi ce is informed. He decides whether the incident/emergency can be handled locally or not. If it can be, normal operation is resumed. If there is a serious incident, this is reported to the head of the crisis management team, who then has to decide whether or not to declare a crisis. If the local crisis can be handled, normal oper-ation is gradually resumed; if there is a genuine crisis, the crisis management team must be mobilised. The team then starts to deal with the crisis.

Handle incident/emergency

Fig. 11 Local crisis management model

No

Yes

Yes

Incident/Emergency

Normal operation

No

Info

Manage crisis

Mobilise crisis management team

(Global) Business Recovery Coordinator for Divisional Unit or Head of Operational Management at Head Offi ce or Incident Coordinator (IO)

Divisional Unit

Head of the crisis manage-ment team decides whether or not to declare a crisis

Fig. 12 Crisis management team model for the company’s local branch without head offi ce

Administration Communications

Facility management

IT

Human resources

Units affected

Situation centre

Head of the crisis management team

In the event of a local crisis, the local crisis management team meets in the situation centre and initiates the necessary steps to deal with it.



Head of CMT

When it comes to crisis management, the CMT is responsible for the following:

– Decisions and management of the crisis and/or the business interruption

– Gathering, evaluating and disseminating infor-mation from and for customers, business part-ners, employees, supervisory authorities and the media

– Introducing and ensuring organisational, tech-nical and constructional measures appropriate to the situation

– Introducing and implementing transitional and disaster recovery procedures in a controlled way

– Matters relating to environmental protection and waste management

– Providing support with determining and clarify-ing the cause of the loss (possibly in cooperation with insurance companies, police, etc.)

In the case of potential crises or business interrup-tions, escalation – i.e. transfer of responsibility to the next level up – is carried out at the head offi ce location by the global business recovery coordin-ators of the business units present in the company (see BCP matrix organisation) or by the head of operational management to the head of the crisis management team.

The head of the local crisis management team decides whether the local crisis should be escalated to the head of the CMT at the head offi ce, as only he can foresee whether a global crisis can develop. He decides whether the CMT at head offi ce, i.e. the global crisis management team, should meet to avert a possible crisis for the company, or whether the request from the head of the local CMT can be delegated back to the local CMT, owing to lack of any global impact on the company.

Fig. 13 Global crisis management model

No

Yes

Local crisis End crisis

Mobilise head offi ce’s crisis management team

Transfers the escalation from the local CMT to the head of the CMT at head offi ce

Local CMTManage crisis

Global crisis

The head offi ce’s CMT has exactly the same structure as the local CMT, the only differ-ence being that Facility Management has an on-scene team at head offi ce for dealing with local loss or damage.

Fig. 14 Model of the crisis management team for the head offi ce

Administration Communications

Facility management

IT

Human resources

Units affected

Situation centre

Head of the crisis management team

Local team



Business recovery plan

Parallel to management of the risk, the disaster recovery process starts, with efforts being made to restore operation of the core activities as soon as possible. The resumption of business operations takes its cue from the company’s priorities, that is to say the business functions determined in the business impact analysis, the loss of which would threaten the company’s continued existence. In the case of serious damage, longer recovery periods would have to be contended with on account of relocations, delivery times for replenishment orders, etc.

For the business recovery plan, project-oriented solutions including scheduling should be devel-oped. The disaster recovery procedure is set out step by step and in the same detail as that for es calation and alerting in the crisis management manual. Graphic design, organisation charts and fl ow charts help make the recovery plan easy to understand.

The following questions are to be taken into account in business recovery planning:

– Has a suitable process been selected for analys-ing the procedures?

– Have people been appointed to develop solu-tions?

– Do security arrangements exist with external partners?

– Is internal and external communication about the disaster recovery ensured (checklists)?

– Has provision been made for regular training and tests?

In order to maintain jobs and guarantee business operations, there are in practice the following pos-sible solutions:

– Job sharing: existing jobs are done by several employees working shifts. Advantage: costs not affected. Disadvantage: high administrative expenses, for example through additional hard-ware and software being required and the high frequency of moves.

– Setting up emergency workplaces, for example in meeting rooms, training rooms. Advantage: premises and furniture available. Disadvantage: PCs and additional infrastructure required.

– Setting up home-offi ce workplaces. Advantage: decentralised and ready for use at all times. Dis-advantage: very high cost of providing laptops and setting up the IT infrastructure.

– Use of MDAs (multimedia digital assistants). Advantage: completely independent of area and location.

With local crises that can develop into a global crisis from one company location, the head of the local CMT refers the crisis to the head of the CMT at head offi ce.

The latter decides whether or not to summon the crisis management team and arranges for the required members of the CMT to be alerted.

Re c) Crisis management manual

The crisis management manual serves as a guide to managing crisis situations for the crisis manage-ment team concerned. It defi nes the most impor-tant tasks in crisis management, the structure and members of the crisis management team, the alert-ing and escalation procedures, the crisis centre and the checklists for the individual roles within the crisis management team.

The crisis management manual also contains lists of people and companies that may be of vital importance in a crisis situation.

Crisis management manual

Table of contents1 Introduction to crisis management2 Organisational structure of crisis management3 Escalation and alerting3.1 Escalation model3.2 Alerting requirements of the alarm organisation4 Basic information4.1 Members of crisis management team4.2 Assessment of the event4.3 Checklists for putting crisis centre into operation4.3.1 Crisis centre I4.3.2 Crisis centre II4.4 Overview of immediate measures (0 to 24 hours)4.4.1 Overview of follow-up measures (24 hours to 1 week)4.5 Important telephone numbers 5 Crisis management team checklists5.1 Checklist for head of crisis management team –

Calling together the CMT5.2 Checklist for assistant head of CMT5.3 Checklist for legal coordinator5.4 Checklist for secretariat5.5 Checklist for disaster recovery offi cer5.6 Checklist for press offi cer5.7 Checklist for human resources coordinator5.8 Checklist for assistant human resources coordinator5.9 Checklist for infrastructure coordinator

(General Services) 5.10 Checklist for representatives of divisional units

affected6. Other6.1 Pocket Guide to Crisis Management

Example of the layout of a crisis manage-ment manual



At the end of the recovery planning, it should be clear where, by whom, with what, how and in what order business operations can be resumed follow-ing a business interruption. The results of the recovery planning are documented in a manual that may look something like the following:

IT recovery plan

These days, most businesses and production tech-niques are so heavily dependent on IT infrastruc-tures that any interruption in IT hardware or soft-ware services renders the normal conduct of business or production impossible. Restoring the IT infrastructure is therefore almost always the fi rst step following any business interruption. The tech-nical measures in the area of IT recovery are virtu-ally endless and vary according to the restart time that is needed or has to be observed. They break down as follows:

Hot solutions: Clustering and mirroring tech-niques. This is understood to mean a second com-puter centre that belongs to the company and has exactly the same status as the original computer centre. The mirroring is carried out at regular inter-vals.

Warm solutions: Provision of resources. All the hardware and software needed to manage a crisis is held in readiness. The reaction time from the crash is between four and 24 hours.

Cold solutions: Procurement in an emergency. This is understood to mean premises solutions with or without computers, for example empty offi ces, canteens, mobile data halls or containers. The reac-tion time from the crash is about one to three days (depending on the size of the company). All the measures for restoring IT functions are described in an IT recovery plan.


Business recovery (manual)

Table of contents1 Introduction2 Disaster recovery organisation for XYZ Department3 Escalation and alerting3.1 Escalation model3.2 Alerting requirements4 Basic information4.1 Members of crisis management team4.1.1 Crisis Centre I4.2 Critical restart times4.3 Emergency workplaces4.3.1 Technical requirements4.3.2 Emergency working materials (reference fi les)4.4 Overview of immediate measures (0 to 24 hours)4.4.1 Overview of follow-up measures (24 hours to 1 week)4.4.2 Overview of long-term measures (1 to 4 weeks)4.5. Important telephone numbers4.5.1 Notifi cation lists5 Checklists for restart of XYZ Department6 Other

Example of the layout of a business recovery manual

IT recovery plan

1. Introduction1.1 Purpose 1.2 Scope of application 1.3 Distribution list 1.4 Maintenance and up-to-dateness 1.5 Responsibilities 1.6 General conditions 1.7 Defi nitions 2 Basic information 2.1 Restart requirements2.2 Failure scenarios2.3 Emergency preparedness strategy3 General computer centre information 3.1 Company’s computer centre3.2 Computer centre security3.3 Security access control3.4 Power supply3.4.1 Uninterruptible power supply3.4.2 Mains backup system3.5 Air-conditioning supply3.6 Basic operating information3.6.1 Production computers3.6.2 Operating times3.6.3 Standby times3.6.4 Incident and problem management procedures3.6.5 Storage media3.6.6 Data backups and outsourced archives4 Emergency documentation5 Availability of personnel, hardware and applications6 Control rooms and meeting points7 Dealing with the media8 IT continuity management9 IT crisis management team10 Emergency response teams 10.1 Emergency response team leaders 10.2 Data-storage emergency response team10.3 Network emergency response team10.4 Client emergency response team10.5 Server emergency response team10.6 Production emergency response team10.7 Security emergency response team10.8 Return teams11 Subordinate measures11.1 List of damage11.2 Logging of emergency response 11.3 Post-processing of disaster management11.4 Adapting documentation11.5 Eliminating causes 11.6 Removing provisional arrangements 12 Supplementary documents 13 Appendix

The IT recovery plan lays down all the measures for restoring the IT infrastructure.


Procedures alter, machinery and equipment are modernised, staff change. To ensure that BCP also actually works in a crisis situation, it must be regu-larly updated. Otherwise, the action plans would be obsolete in a relatively short time, and imple-menting them in an emergency could do harm rather than good. Besides constant updating, it is also necessary to create awareness of the impor-tance of BCP among employees at all levels. Train-ing courses and seminars are suitable for this. Test alarms and – even more comprehensively – simula-tion drills then keep the BCP strategy alive. Any errors and weakness in the plans drawn up will show up at the latest when an imaginary loss is tried out. The exercises are thus a kind of quality assurance and have the effect of getting all those involved used to the stressful situation of a busi-ness interruption and minimising the problem of reaction time. It appears advisable to hold training courses and exercises about once a year. Because they are very expensive, simulations tend to be confi ned to particularly critical processes and func-tions. In order to deal in a structured way with the predetermined features of a crisis in a test, a script is written which is analysed following the exercise. For reasons of objectivity, people not directly involved in developing BCP should do the analysis. The results and all the revisions of procedures, organisations and data (all the way down to changed telephone numbers and room numbers) go into updating and further developing the tools and, as such, form part of a process of continual improvement.

Internal and external audits are also used to ensure the quality of BCP. To this end, as part of its respon-sibilities, the BC management checks whether the rules agreed beforehand are complied with in the individual business units and whether the BC organisation and BC set-up tally with the actual planning. To ensure that the maintenance, exercis-ing, auditing and development of business con-tinuity planning are also actually carried out, the tasks and responsibilities associated with these must be established. The following list gives an example of the content of a MEAD plan:

Rehearsing for the real thing: Testing and developing the BCP

The best business continuity planning can fail in an emergency if it is not constantly adapted to current conditions and regularly practised. Tests, training, audits and simulations are the supreme discipline of business continuity planning.

MEAD

1 Introduction2 Maintenance (upkeep and changes)2.1 Ongoing maintenance and adaptation of the entire

local and global BC organisation2.2 Adaptation of the system to new risks discovered in

the course of loss prevention measures3 Exercising3.1 Exercising intervals, types of exercises, exercise

locations3.2 Scenarios3.3 Assessment3.4 Documentation3.5 Exercise reports / Lessons learned4 Audit4.1 Developing auditing procedures and methods4.2 Worldwide auditing of business continuity planning:

site-specifi c contingency plan, crisis management plan and business recovery plan

4.3 Documentation5 Developing5.1 Building up a network of experts and exchanging

experiences5.2 Training and further training5.3 Adaptation to the prevailing state of the art in each

case5.4 Development of a business continuity software tool6 Other

Example of the layout of a Maintenance, Exercising, Audit and Development (MEAD) manual.


Transferring risks: Business interruption insurance

Just as it is necessary to have holistic business continuity planning individually tailored to the company in question, so it is essential to have a tailor-made business interruption insurance solution. It is all a question of fi nding a sensible combination.

Why is BCP necessary in the fi rst place when it is possible to obtain insurance cover for fi nancial losses caused by business interruptions? How are BCP and business interruption insurance con-nected? When does BCP start and when do the benefi ts under a business interruption policy end? These are the questions that companies usually ask where business continuity planning and the arrangement of business interruption insurance are concerned. The explanations given below should help clear up frequent misunderstandings about the purpose of insurance cover.

In short, BCP regulates the preventive and reactive action to be taken in a crisis situation, whereas business interruption insurance is aimed at cover-ing the consequential fi nancial loss of selected haz-ards (e.g. of a fi re). By paying standing charges, the cost of necessary loss minimisation measures and the profi ts lost, business interruption insurance contributes to a company’s economic recovery fol-lowing a crisis. Whether and, in particular, for what amount business interruption cover is needed is determined with the help of a business impact analysis, taking account of the worst-case scen -ario. Risks that are not transferred to the insurer, because they are not insurable or the entrepreneur does not want the cover, should be avoided as far as possible, or at least reduced, by means of BCP.

But even where a company has arranged business interruption insurance, it is important to carry out BCP to ensure that no critical points are over-looked. For with ill-conceived recovery measures, there is a danger that a company can no longer recover from a major incident, even where a busi-ness interruption policy pays out for consequential loss arising from the event. Insurance therefore offers no guarantee that a company will actually survive a crisis. It is thus all the more important that a good risk manager should understand how to use both tools – BCP and BI insurance – together in a sensible way. The need to incorporate BI insur-ance into the company’s risk management is some-thing that many risk managers have now recog-nised, but it is still not being consistently implemented enough.


Fig.15 Determining the BI sum insured At the time a BI policy is arranged, it is only possible to refer to values of previous busi-ness results, although these can increase in subsequent years through the expansion of business activities or higher sales. It is therefore important to adjust the sum insured upwards, particularly where periods of indemnity in excess of 12 months are arranged, in order to avoid underinsurance.

Gross profi t

Gross profi t lost

Actual gross profi t (with BI loss)

Basis for BI insured value

Occurrence of property damage

Liability period

Business result in the last fi nancial year

Gross profi t over comparative period

Adjusted gross profi t

?

Reserve loading as a consequence of expected increase in turnover

Period of insurance


Point c includes, for example, the cost of temporary buildings and hired machinery, extra shifts, over-time, or extra costs for airfreight. What is decisive is that, under a basic business interruption cover, these expenses are insured only to the extent that they actually help reduce the insured consequen-tial loss. This means that the indemnity is limited to the economic benefi t (so-called economic limit). Other costs in respect of measures that do not directly reduce the consequential loss (e.g. special PR activities) can also be insured as required, but for a limited amount.

The insured consequential loss therefore corres-ponds to the lost operating profi t and the money spent on (fi xed) standing charges. Overheads and operating profi t, however, are indemnifi ed only to the extent that the policyholder could not earn them as a result of the interruption. In order to cal-culate the consequential loss, the operating result during the period of interruption – the period dur-ing which operations were disrupted by the busi-ness interruption – is compared with the result that the business would have achieved had the business interruption not occurred. Overheads, however, are reimbursed only where it is legally necessary or economically justifi ed to continue paying them.

Main features of BI insurance

The object of business interruption insurance is the consequential loss arising in a business as a result of property damage. Property damage caused by fi re, for example, can cause an appreciable reduc-tion in production or service, or even a total busi-ness interruption. The result is a direct purely fi nan-cial loss or a loss of profi ts. It is then the job of business interruption insurance to make good this loss of profi ts (profi t lost and other costs arising as a result). This should put the company back to where it would have been if there had been no con-sequential loss.

Business interruption insurance essentially covers three main areas:

a. The net profi t that would have been made if there had been no consequential loss

b. The normal standing charges that still have to be paid and cannot be reduced

c. The (loss minimisation) costs incurred in order to reduce the duration and extent of the business interruption loss


Fig.16 Determining the sum insured

Turnover

When property damage occurs, the immedi-ate impact on a business interruption loss can vary considerably, depending on the business. This will be signifi cantly infl u-enced by a fl ow of goods that is still intact (stocks, processing, sale). As soon as this fl ow is reduced or lost altogether, the oper-ating overheads can no longer be earned, leading to a business interruption loss. Once production has been resumed (technical readiness to operate), the operating over-heads rise again sharply in order to get back to the full commercial readiness that existed prior to the loss.

Commercial readi-ness to operate

1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6

Occurrence of property damage

Technical readiness to operate

Costs

Profi t

Loss


Calculating the probable maximum business interruption loss (PML)

The probable maximum loss (PML) as a result of business interruption in the period of indemnity resulting from the loss must be determined taking account of the worse-case scenario (see glossary for defi nition). As the insured business interruption must normally be caused by property damage, the circumstances that are decisive for calculating the PML in property insurance are also to be taken as the starting point for the business interruption PML. However, they do not give any information about the possible size of the consequential loss that only develops over time, once the property damage has occurred, and is therefore largely dependent on the time element.

The following risk features can have a decisive infl uence on the business interruption PML:

– Internal interdependencies – Seriousness of the business interruption risk

(property damage risk exposure, type of produc-tion process, existence of bottlenecks, depend-ence on computer systems, seasonal production or turnover)

– Duration of interruption (time needed to restore buildings and replace or repair production equip-ment and machinery, probability of loss of clients/market as a result of the loss, availability of workers, existence of standby equipment)

– Loss-minimisation measures during the period of interruption (increasing production in parts of the business unaffected by the loss, overtime, special shifts, outsourcing of production to third companies, temporary equipping of operating departments, shift of production, reduction of costs, accelerated replacement of operating sup-plies and raw materials)

– Risk of contingent losses through dependence on third companies (level of dependence, level of business interruption risk of those third compa-nies, extensions of cover in respect of contingent losses [cf. section “Coverage extensions”])

Sum insured

For the insurance policy, the sum insured generally has two meanings. On the one hand, it forms the basis for calculating the premium, and its amount determines the cost of the insurance for the insured company. On the other, it sets an upper limit to the indemnity payable by the insurer and has a considerable infl uence on the intensity of the insurance cover. The sum insured is usually geared to the value of the insured interest. Determining the insured value is therefore a prerequisite for set-ting an appropriate sum insured. To avoid under-insurance, the insured value should constantly be adjusted and checked again in the event of a loss.


Prerequisites for an insured business interruption loss

As already mentioned, the basic prerequisite for indemifi cation under standard business interrup-tion cover is that there should be a causal link between the business interruption and the prop-erty damage. The occurrence of the property dam-age is normally what triggers the cover. This prop-erty damage must have occurred at the operating unit (insured premises) specifi ed in the insurance policy and affect an item of property used oper-ationally. The place of origin of the loss occurrence can be anywhere else, however. The property dam-age need not therefore be direct damage. Conse-quential property damage (as a result of fi re, for example) can also trigger the BI insurer’s obliga-tion to indemnify. It is necessary for property dam-age to have occurred at the operating unit named in the policy. The items affected by the property damage need not be owned by the insured com-pany either. It is enough if the item of property in question is used operationally or is intended to be so. This also includes items of property that have been hired or loaned, acquired under reservation of ownership or assigned by way of security to third parties. Business interruption insurance therefore also assumes liability for the conse-quences of property damage in cases where the destroyed production facilities are loaned, rented or leased, for example.

Insurability of entrepreneurial risks

There are, however, certain risks that insurers can-not assume, as they cannot be handled by means of underwriting. This is the case where

– the losses do not occur by chance but are fore-seeable,

– the probability of a loss occurring cannot be assessed, or

– the loss potentials exceed the insurer’s ability to pay.

Examples of such “entrepreneurial risks” are inter-net, environmental and product risks, risks arising from new technologies or also fi nancial risks that are unconnected with property damage. Where for these and similar cases no insurance solutions are possible that can deal with the company’s require-ments in a tailor-made way, it is particularly impor-tant for the risk management process to show ways in which these risks can be countered (e.g. through self or external fi nancing, reserves).

Business interruption insurance is a full-value insurance, which means that the value of the insured operating profi ts and standing charges must be determined as accurately as possible in order to fi x the sum insured. Unlike in property insurance (for which the values of the present apply), in BI insurance the future insured values must be forecast, that is to say the future profi ts. As the business trend of the company that is to be insured is subject to fl uctuations, fi xing the right sum insured is very demanding.

Taking as an example here the system of cover applying in Germany and the UK, for a period of indemnity (see next section “Limiting the term of the insurance cover”) of 12 months the sum insured corresponds to one year’s gross profi t.In the case of longer periods of indemnity, the sum insured is multiplied accordingly, which means that for a period of 24 months it is doubled.

Limiting the term of the insurance cover

Because of the special time dimension of business interruption insurance, it is necessary to limit the insurer’s liability not only in terms of amount but also in terms of time. The period of indemnity, that is to say the maximum period of time agreed in the insurance policy for which the insurer is liable following the occurrence of a loss, therefore also infl uences the amount of the value insured. With basic business interruption cover the period is 12 months, but it can be extended to up to 36 months if required. The period of indemnity normally runs from when the property damage occurs, even if the resulting disruption of operations and the business interruption loss only become apparent later. When the cover ends is handled quite differently on the individual insurance markets. Under the European form of cover, for example, the period of indemnity applies until a company is ready to operate commercially again (so-called “economic recovery”), i.e. the loss of market share may also be included. Liability ends no later than upon expiry of the contractually agreed indemnity period, however. Under the system of cover apply-ing in the USA, on the other hand, the business interruption loss is indemnifi ed only during the “restoration period” of the damaged or destroyed property, which corresponds to the time when the state of being technically ready to operate again is reached. Of late, however, it has also become possible to extend this period by a few months.



Insured company’s obligations

Time is money! For business interruption losses and all measures for minimising loss, this maxim is of fundamental importance. One essential principle of BI insurance is therefore also that the policy-holder undertakes to resume operations as quickly as possible in order to limit the business interrup-tion loss. It is absolutely essential that the loss be reported to the insurer without delay so that the insurer can jointly keep track of the measures taken to minimise loss and infl uence them wherever pos-sible.

Because business interruption insurance covers purely fi nancial loss, the policyholder’s accounting records form the basis for calculating the loss. In order to be able to assess the actual BI loss prop-erly, normally the last three years’ accounting records, inventories and balance sheets must be available. The documents must be kept in such a way that they cannot be destroyed during a loss event. Where this obligation is not met, it can lead to reductions in the indemnity paid or even to the insurer being released from its duty to indemnify, as correct calculation of the loss is then barely pos-sible any more, or not possible at all.

Determining the business interruption loss

Determining the loss under business interruption insurance is a very complex task, and a real chal-lenge in the case of major incidents. The main rea-son for this is that the subject-matter of a BI policy consists not of values that are already available but of the insured company’s future earnings that cannot be generated in the event of a loss. Settling claims correctly requires broad experience and expertise, especially in operational matters. It is therefore not unusual to call in a neutral expert chosen by both parties to determine the BI loss.

Without going into more detail on the topic, which is subject to a variety of infl uences, the calculation of a BI loss can be presented in simplifi ed form as follows:

Coverage extensions

Below we briefl y explain the most important exten-sions of cover that can be incorporated into busi-ness interruption insurance. Because of possible loss accumulations and/or unknown risks, how-ever, the insurer cannot get an overall picture of these extensions, which means that they are very diffi cult to quantify. They can therefore only be included in the insurance to a limited extent on a fi rst-loss basis (see glossary for defi nition).

Additional increased costs of working

These are loss minimisation expenses that exceed the economic limit and therefore no longer reduce the insurer’s liability. Such a situation will arise above all with companies that have to maintain at least part of their operations at all costs, as they would otherwise lose considerable market shares in the long term, for example in the case of news-paper printers, bakeries, certain commercial under-takings and especially service enterprises.

Denial of access

This extension of cover relates to access to the insured premises being possibly hindered or ren-dered impossible as a result of property damage in the near vicinity, with or without intervention by the authorities (fi re brigade, police), which leads to a signifi cant interruption. Here it makes no differ-ence whether the insured business or the items of property located in it are damaged or not.


Calculation of business interruption loss

Presumed turnover (without loss) €1,000,000– Actual turnover (despite loss) €500,000= Lost turnover €500,000– Variable costs €300,000= Gross profi t lost €200,000+ Loss minimisation costs €100,000– Fixed costs saved €50,000= BI loss €250,000



Failure of public utilities

Power failures in particular can severely disrupt a business and, in the absence of safety concepts (e.g. emergency power generators), can even para-lyse it completely and cause further huge costs (recommissioning of machinery, goods destroyed during the production process, etc.). Loss of earn-ings as a result of a business interruption loss caused by a power failure and preceding property damage to insured items can be insured with an extension of cover if the loss was caused by a fail-ure of the public supply of electricity, water, gas or telecommunications services.

Tailor-made BI insurance solutions

The explanations and defi nitions given are gen-erally based on BI insurance solutions that are available as standard products on the individual insurance markets (here, Germany and the UK). These are recognisable from the prerequisite of property damage, insured perils defi ned in the same way, and more or less standard insuring clauses. It should therefore be noted that devi-ations from usual market practices by insurance brokers can exist, as well as “homegrown” terms and conditions expressly offered by insurers.

Insurance products for business interruption

Below you will fi nd a list of the standard business interruption insurance products usual in the mar-ket. We do not, however, go into more detail here about the particular features and contents of the individual products.

Contingent losses

Contingent losses arise as a result of property dam-age in an outside company or at a policyholder’s business location that is not documented in the policy. “Outside companies”, i.e. companies that are not owned by the insured company, may be suppliers (also suppliers of suppliers), customers (also suppliers of customers), payroll processing fi rms or independent warehouses. Property dam-age at such a company that has dealings with the policyholder can lead to a decline in or loss of sales at the insured company without it having suffered any property damage.

Unlike contingent losses, which can only be insured in the form of an extension, so-called “interdependency losses” are included in the cover under standard BI insurance. An interdependency loss is where property damage occurring at the insured company’s operating site A leads to a business interruption at its operating site B. For cover to apply, both operating sites A and B must be mentioned in the insurance policy.

Additional costs for delays on account of orders under public law (conditions imposed on rebuilding or operation)

Following insured property damage, the company may, as a result of conditions imposed by the authorities, incur considerable additional costs that signifi cantly increase the business interruption loss (e.g. through impairment of the environment, the neighbourhood or the site location). The additional costs incurred as a result are insurable, provided the laws or orders forming the basis of the condi-tions imposed had come into force before the loss occurred. The risk of additional costs as a result of legal orders is often not recognised or massively underestimated; in many cases the true extent of such conditions only becomes apparent when there is a loss.



Standard business interruption insurance products usual in the market

Property insurance– Fire BI insurance (Germany)– Loss of gross profi t (UK)– Loss of revenue (UK)– Gross earnings form (USA)– Business income (USA):

· including extra expense· without extra expense

· Extra expense only– Contingent BI insurances:

· Failure of public utilities· Interdependency and contingency losses· Access restriction· Rebuilding restrictions as a result of orders under public law

– Stand-alone increased cost of working insurances

(additional increased costs of working)– Machinery loss of profi ts– Electronic equipment BI– Building interruption– Advance loss of profi ts (ALOP)

Engineering BI insurances– Machinery loss of profi ts– Computer and software BI– Advance loss of profi ts

Business closure insurances– Closing of company by authorities owing

to epidemic risk

Marine consequential loss insurances

RemarksMost insurance products do not cover consequen-tial business interruption losses arising from:– War events of any kind– Terrorism– Nuclear risks (special solutions for nuclear power

plants)– Entrepreneurial risks– Currency and exchange rate risks– Computer viruses– Occurring events that are not sudden and unfore-

seen– Events that are not preceded by property damage

Special risks whose insurability must be examined very closely:– All natural hazards like earthquake, windstorm,

fl ood– Sociopolitical risks– Pollution, contamination– Losses as a result of offi cial orders and provisions

All risks versus named perils covers:In named perils covers, each insured peril is indi-vidually enumerated and defi ned, unlike in all risks covers where all risks that are not expressly excluded (list of excluded perils) and are the conse-quence of “accidental, unforeseen physical dam-age” are insured.


Summary

For most companies, the consequences of a busi-ness interruption can mean ruin. These days, no company can afford to be cut off even for just a short time from activity in the market as a result of an incident, irrespective of whether this turns out to be major or minor. In this connection, we would point out that not only should BCP be obligatory for large, international and global companies but also that it is an urgent requirement for small and medium-sized enterprises (SMEs) as well. Such enterprises are particularly at risk with regard to liquidity and availability of fi nancial resources. To avoid having to suffer any serious losses or being squeezed out of the market altogether, every com-pany management should set great store by for-ward-looking risk management and support its implementation at all levels.

The aim of these activities is to identify every con-ceivable, realistic risk that a company might be faced with (“thinking the unthinkable”) and estab-lish approaches for minimising possible losses. This will enable the company to tackle and manage incidents in a coordinated and structured way. To this end, a business continuity team, made up of company employees, draws up a crisis plan setting out step by step all the measures required to deal with the emergency and get the business up and running again after an interruption.

Such plans are of little use, however, if they are not tested for their fi tness at regular intervals and adapted to processes of change.

It is not enough, however, to confi ne oneself to purely technical and organisational possibilities of risk management. The business continuity plan-ning that is integrated into the company should certainly be supplemented with business interrup-tion insurance covering the fi nancial consequential losses that arise when specifi c risks occur. Because of the extremely complex subject matter, it is advis-able to agree a business interruption insurance solution that is adapted to the individual operating requirements. The insurance industry has profes-sionally competent advisers available for this who can work out and offer a solution that will satisfy all the parties involved.

The best way of counteracting incidents that cause fi nancial losses – and one that we therefore urgently recommend – is by sensibly combining the two preventive tools of BCP and BI insurance.


Glossary

Business continuity MEAD (maintenance, exercising, audit and development)Maintenance, tests, exercises, audits and further development of the business continuity process

Business continuity planningSynonym for business continuity process

Business continuity processThe business continuity process is a management process that identifi es the possible consequences that can endanger a company. As part of the pro-cess, targeted procedures for maintaining oper-ations and protecting persons, property and assets in the sense of added value are worked out.

Business continuity strategyThe business continuity strategy defi nes the way in which the company can be protected against emergencies and crises in the medium term (approx. 2–4 years) or long term (approx. 4–8 years). The business continuity strategy is based on the company’s vision and guiding principles.

Business impact analysis (BIA)The BIA is the cornerstone of BCP. Based on a survey of senior management, the relevant busi-ness processes and the ones at risk of failure are defi ned in terms of their importance and impact, and described in detail.

The following defi nitions form the basis for communicating about business continuity planning and business interruption insurance.

Assessment periodThe assessment period is a term from industrial fi re business interruption insurance and is used to determine the insurance value.

The assessment period ends at the point in time when there is no more business interruption loss, and upon expiry of the period of indemnity at the latest. Prior to this time, the presumed operating profi t and the standing charges that the policy-holder would have generated in the last 12 months without the business interruption are taken into account (= insurance value).

It should be noted that the assessment period is fi xed differently from market to market. Business continuity guidelineBinding guideline for carrying out business continuity planning

Business continuity management (BCM)Procedure for safeguarding the business continuity process in the company

Business continuity master planPart of the business continuity guideline that describes the individual types of plan:

– Site-specifi c contingent plan (see below)– Crisis management plan (see below)– Business recovery plan (see below)– IT recovery plan (see below)


Business interruptionAll internal and external events that lead to interruption of the actual business and have an im mediate and sustained effect on the company’s economic situation.

Business recoveryAll measures to get the business up and running again following an outage or interruption

Business recovery planPlan describing all the measures to get the busi-ness up and running again following an outage or interruption

Contingent lossesContingent losses arise as a result of property dam-age at an outside company (or at a policyholder’s business location that is not documented). Outside companies are companies that are not owned by the insured company, e.g. suppliers (also suppliers of suppliers), customers (also suppliers of custom-ers), payroll processing fi rms or independent ware-houses.

Contingent losses lead to a decline in or loss of sales in the insured company, without it having suffered any property damage itself. It is, however, a prerequisite that the facility location involved belongs to a company that supplies products to the policyholder.

CrisisA crisis is a suddenly occurring situation that can bring the company to the limits of what it can cope with or pose a considerable threat to its existence. A crisis is defi ned as such by the local crisis man-agement unit. The normal organisational and deci-sion-making structures are no longer suffi cient to master a crisis.

Crisis managementManagement process of the management team designed to maintain the company’s ability to act in a potential or acute crisis. As described in the site-specifi c contingent plan, the immediate initial measures following the occurrence of an “emer-gency” or “crisis” (e.g. fi rst aid, fi refi ghting, evacu-ation) are the responsibility of the operational management and are thus not part of the crisis management.

Crisis management planPlan describing the most important measures to be taken by the relevant crisis management teams when dealing with a crisis. In particular, it involves:

– gathering, evaluating and disseminating infor-mation from and for customers, business part-ners, employees, supervisory authorities and the media;

– introducing and ensuring organisational, tech-nical and constructional measures appropriate to the situation;

– introducing and implementing transitional and disaster recovery procedures in a controlled way;

– providing support in determining and clarifying the cause of the loss (including insurance compa-nies, police investigations, etc.).

Crisis management team The crisis management team is the management team for all the divisions affected, until the resump-tion of normal business operations has been ensured. It is responsible for decisions and also for the measures and consequences resulting from them.

Disaster recovery manualThe disaster recovery manual contains all the plans that are of relevance in a crisis situation, e.g. the site-specifi c contingency and evacuation plans, crisis management plan and also the business and IT recovery plans.

Economic limitThe payment of indemnity is limited to the eco-nomic benefi t, i.e. loss minimisation expenditure is insured under basic BI cover only to the extent that it also actually helps to reduce the insured business interruption loss.

EmergencyAn emergency is when the prerequisites for carry-ing out important business activities in an area at the company location in question are impaired for a limited period of time. The local operational man-agement establishes that there is an emergency and deals with it.

Emergency workplacesAlternative workplaces that are made available for a unit’s emergency operation

First lossWhere insurance on a fi rst-loss basis is agreed, every loss is indemnifi ed up to the amount of the sum insured, regardless of whether the sum insured corresponds to the insurance value of the insured items of property at the time of occurrence of the loss. Any underinsurance is therefore not taken into account. In property insurance, fi rst-loss insurance is usefully employed where it would be excessively diffi cult to calculate an insurance value (cost items).

Glossary

43

Global business recovery coordinator In companies that operate internationally, this is the person responsible for the objectives and orientation of the business recovery procedure in the relevant division.

IncidentAn incident is the brief impairment of the pre-requisites for the business activities at the location in question. It is eliminated immediately and permanently within the line as part of incident management.

Incident coordinatorThe person responsible for the site-specifi c contin-gent planning and crisis management planning at the company location in question

Insurance valueSee “Assessment period”.

Interdependency lossesMany businesses or fi rms have several operating sites (fi rms belonging to the group). Property dam-age occurring at operating site A can thus lead to a business interruption at operating site B. As long as both operating sites are listed in the insurance policy, these so-called interdependency losses are also insured.

IT recoveryAll measures to get the IT up and running again after an outage or interruption

IT recovery planPlan regulating all the measures to get the IT up and running again after an outage or interruption

Local business recovery coordinatorIn international companies, this is the person responsible for the objectives and orientation of the Business Recovery Procedure in the relevant Division at the location in question.

Operational managementDisaster recovery organisation at the relevant com-pany location that is mobilised in an emergency as part of the site-specifi c contingent plan. Escalation to the company’s crisis management is carried out by the operational management.

Period of indemnityThe insurer is liable for any business interruption losses normally arising within 12 months following occurrence of the property damage. This period is known as the period of indemnity. It is possible to agree longer periods of indemnity.

PMLPML stands for “probable maximum loss” (cf. the section “Calculating the probable maximum business interruption loss” on page 35).

Restart timeThe restart time is the time a process, a unit, an application or an IT system needs to function again properly in accordance with the operational requirements.

Site-specifi c contingent planPlan describing all the immediate measures follow-ing an emergency or crisis in buildings.

Site-specifi c contingent planningAll the measures used immediately after the occur-rence of an emergency or crisis to protect human life, material assets and property.

Threat analysisExposure analysis that considers all the conditions and processes of relevance to business interrup-tion in a holistic examination of the company

UnderinsuranceWhere the sum insured is lower than the insurance value at the time of occurrence of the insured event (underinsurance), only that part of the loss is indemnifi ed that bears the same ratio to the overall loss as the sum insured bears to the insurance value.

Indemnity = loss x sum insured/insurance value

Worst-case scenarioThe maximum possible loss occurrence, calculated in monetary terms, that can affect a company as a result of a specifi c risk.

Glossary



Literature

BooksHB 221:2003 Business Continuity Management by Standards Australia; Standards Australia Inter-national Ltd., Sydney 2004.

Heyen, Edgar: Leitfaden der Feuer-Betriebsunter-brechungs-Versicherung [Guide to fi re business interruption insurance], Verlag Versicherungswirt-schaft e. V. Karlsruhe, 2nd edition 1976.

ISO/TS 16949 QualityManagement Systems in the Automotive Industry, item 6.3.2 Disaster recovery plans.

Wieczorek, M., Naujoks, U., Bartlett, B. (Editors) (2003) Business Continuity. Berlin, Heidelberg, New York: Springer-Verlag.

WorkshopRIMS Fellow Workshop (2004): Disaster Planning, Business Continuity Planning and Management. Montreal (Quebec), June 14 –15.

MR Risk Management and Industrial Insurance Workshop (2007): Case Study TMC. Munich: www.munichre.com/de/service/connect/general_services.

BSI (British Standards Institution); www.bsi.org.uk

DRI (Disaster Recovery Institute): www.drii.org

FFIEC (Federal Financial Institutions Examination Council): www.ffi ec.gov

NIST (National Institute of Standards and Technology): www.nist.gov

NFPA 1600 (National Fire Protection Association): http://www.nfpa.org

PAS 56/BS25999: www.pas56.com

The Business Continuity Institute: http://www.thebci.org

Risk and Insurance Management Society, Inc.: http://www.rims.org

Authors

Dr. Gerhard SchmidHead of Section Casualty Risk ConsultingTel.: +49 (89) 38 91-98 69Fax: +49 (89) 38 91-7 98 69E-mail: [email protected]

Martin WullschlegerUnderwriter Corporate Underwriting PropertyTel.: +49 (89) 38 91-52 18Fax: +49 (89) 38 91-7 52 18E-mail: [email protected]

Internet links

© 2008Münchener Rückversicherungs-GesellschaftKöniginstrasse 10780802 München GermanyTel.: +49 (89) 38 91-0Fax: +49 (89) 39 90 56http://www.munichre.com

Responsible for contentCorporate Underwriting

Person to contactDr. Gerhard SchmidTel.: +49 (89) 38 91-98 69Fax: +49 (89) 38 91-7 98 69E-mail: [email protected]

Martin WullschlegerTel.: +49 (89) 38 91-52 18Fax: +49 (89) 38 91-7 52 18E-mail: [email protected]

Picture creditsGetty Images

BCP - Munich Re

Documents

Transcript of BCP - Munich Re