Business Continuity Planning…. Recovering From Disasters · Business Unit and Process Plans...
33
ACE USA Business Continuity Planning…. Recovering From Disasters IBTTA Facilities Management and Maintenance Workshop October 23-25, 2011 Nashville, TN Ray Szczucki ACE USA Inland Marine
Transcript of Business Continuity Planning…. Recovering From Disasters · Business Unit and Process Plans...
ACE USA
BusinessContinuity Planning….Recovering From Disasters
IBTTA Facilities Management and Maintenance WorkshopOctober 23-25, 2011 Nashville, TNRay SzczuckiACE USA Inland Marine
ACE USACopyright© 2011 ACE
Any opinions or positions expressed in this presentation are the presenter’s own and not necessarily those of any ACE company.
The information, material and descriptions contained herein are intended only as a general overview of certain types of insurance or insurance-related services. The description(s) of insurance coverages, policies or services herein shall not amend, modify, replace, alter, or otherwise changes the terms, conditions, limits, provisions, exclusions or endorsements contained in any policy issued by the insurance companies of ACE USA. Please consult your insurance professional and/or policy for precise terms, limits, exclusions and conditions.
The description(s) and material(s) contained herein shall not provide a basis for a legal relationship between ACE USA, Inland Marine and any potential or existing customer and gives no cause to anyone for claims, demands, assertions or other rights towards ACE USA, Inland Marine or the insurance companies of ACE USA, either on a contractual or on a non-contractual basis.
The material(s), descriptions of insurance coverage(s) and/or program(s) and/or the information provided herein shall bestow no rights or obligations upon ACE USA, Inland Marine or any customer or potential customer and shall not be distributed by anyone for any commercial or non-commercial use, purpose or intention without the express written permission of ACE USA.
ACE USACopyright© 2011 ACE
Objectives
Develop Better Understanding of Business Continuity Plan (BCP)
Become Familiar with Critical Components of BCP
Identify How BCP Process Can Improve Overall Risk Management
ACE USACopyright© 2011 ACE
The Big Picture
Emergency Response Plan
Damage/Condition Assessment
Initial Recovery Procedures
Business Continuity/Resumption
Recovery/Restoration Plans
DisasterDeclaration Return to Normal Operations
Incident WeeksHours MonthsDays
ACE USACopyright© 2011 ACE
Potential Risks
Property• Fire • Earthquake• Flood• Windstorm• Terrorism
Liability• Auto/fleet• Premise/Facility• Operational
Employee• Workers Comp• Workplace violence• Wages/Benefits
Business Risk• Facility access• Toll Revenue• Contingent exposures• Civil disturbancesFinancial
• Bond Ratings• Cash Flow
Which Is Most
Important?
Operational• Unsafe Conditions• System Impairment• Facility Closure• Utilities Disruptions• Environmental
ACE USACopyright© 2011 ACE
Why Implement a Business Continuity Plan?
Plan for Crisis in a Non-crisis Environment
May Not Be the Cause, But May Be the Consequence of Disaster
Forecast Potential Risks & Develop Plan of Action
ACE USACopyright© 2011 ACE
A Business Continuity Plancan help to…….
Ensure Organizational Survival After DisasterMinimize Financial Loss & Negative PublicityMeet Ethical & Legal Obligations to Employees, Customers, Suppliers & CommunityIdentify Process Inefficiencies & Single Points of Potential FailureMaintain Positive Image of OrganizationProtect Jobs, Assets & Revenue Earning AbilityMaintain Customer ConfidenceIdentify Operational Exposures & RisksExpedite Restoration of Service & Facility Operation
ACE USACopyright© 2011 ACE
Hurricane/TyphoonTornado/CycloneWindstorm/Tropical StormFreezing TemperaturesFlood/Dam/Levee FailureEarthquakeDrought
Forest Range & Urban FireAvalancheSnow/Ice/Hail CollapseTsunami/Tidal WaveVolcanic EruptionLandslide/MudslideDust/Sand Storm
Natural
Exposure Events
ACE USACopyright© 2011 ACE
Exposure Events
FireHazardous MaterialsEnvironmental Incidents (Spills & Releases)Transportation AccidentsPublic Demonstration/Civil Disturbance (Riot)/Strikes
TerrorismSabotageRadiological AccidentsExplosionBomb ThreatPower/Utility Failure
Man-Made
ACE USACopyright© 2011 ACE
Evaluation AreasSecurityEmergency Response ServicesSpecial HazardsEngineeringTransportationMedicalLegal CounselPublic RelationsCommunicationsPersonnelInsurance
ACE USACopyright© 2011 ACE
Needs Assessment
Physical NeedsEquipmentUtilitiesReferences
Personnel NeedsMedical/healthEngineeringFire & rescueSecurityEnvironmental protectionTransportationPublic relationsSalvage
ACE USA
Business Continuity Plan
A Risk Mapping Approach
ACE USACopyright© 2011 ACE
Business Continuity Model
Threat/RiskAnalysis
VulnerabilityAssessment
BusinessImpact
Analysis
Resource &Service
Requirement
AssessmentComponents
LossControl
Program.
PreventiveMaintenanceProcedures
SecurityPrograms
(Corporate, Data,Building, Network)
VitalRecordsProgram
Utilities(Power, Water,Air, Waste, Telecom)
DisasterPrevention &
MitigationPrograms
LocationalResponse
Procedures
Company,Employee
Needs
EmergencyResponseProgram
ExternalCrisis
Communication(PR)
InternalCrisis
Communication(HR)
CrisisManagement
Plans
CrisisManagement
Program
BusinessUnit andProcess
Plans
NetworkPlans
(Data, Voice, Video)
ComputingPlans
(Mainframe, PC,LAN/WAN)
TechnologyPlans
LocationalFacilityPlans
Contingency Plans
(Response, Recovery,Resumption, Restoration)
Trainingand
Awareness
Exerciseand
Maintenance
BusinessContinuity
Plan
ACE USACopyright© 2011 ACE
Essential Business Continuity Plan Elements
Assessment Components
Disaster Prevention & Mitigation Programs
Emergency Response Program
Crisis Management Program
Contingency Plans
Exercise & Maintenance
ACE USACopyright© 2011 ACE
Assessment ComponentsThreat/Risk & Vulnerability Analysis
Threat/RiskAnalysis
VulnerabilityAssessment
BusinessImpact
Analysis
Resource &Service
Requirement
AssessmentComponents
Utilizing Risk Mapping
ACE USACopyright© 2011 ACE
Risk Mapping Process
Identify Risks That May Negatively Affect Company Earnings or Operations
Qualify Risks
Determine Relationships Between Risks
Chart or Graph Risks to Help Prioritize Action
Integrate with BCP
ACE USACopyright© 2011 ACE
Risk MappingPlotting the Risks
Frequency
Seve
rity
Low
High
High
Select a Base
Can Change by Risk Category
ACE USACopyright© 2011 ACE
Risk MappingPlotting the Risks Severity
High
Low to High
Range of Financial
Percent of ProbabilitySeve
rity
Low
ACE USACopyright© 2011 ACE
Risk MappingPlotting the Risks Frequency
Low to High
Number of Years
Number of Events
Low HighFrequency
ACE USACopyright© 2011 ACE
Threat/Risk Analysis
Probability: High=3, Medium=2, Low=1
Threat: Speed (slow=1, fast=2) + Duration (short=0, long=1) + Warning (yes=0, no=1)
Impact: High=3, Medium=2, Low=1
Relative Weight = Probability x Threat x Impact
ACE USACopyright© 2011 ACE
Risk Mapping
Hazard Identification
Probability Assessment Frequency
Consequence Analysis Severity
Risk Assessment
ACE USACopyright© 2011 ACE
Business Continuity Program Financial Benefits
Cost Savings from Business Process Efficiencies & Emergency Procurement Expense Controls
Establishes Procedures to Account For Costs Incurred During Recovery
Identifies Key Vendors, Customers & Suppliers
ACE USACopyright© 2011 ACE
Evaluating Loss Costs
Inflation Factors
Location of Event-Domestic vs. Global
Availability of Replacement Equipment & Components
Competition Pressures
Loss History
Industry Data
Building/Equipment Costs
Business Continuity Plan Costs
Amount Subject-PML Estimates
ACE USACopyright© 2011 ACE
Business Continuity Model
Threat/RiskAnalysis
VulnerabilityAssessment
BusinessImpact
Analysis
Resource &Service
Requirement
AssessmentComponents
LossControl
Program.
PreventiveMaintenanceProcedures
SecurityPrograms
(Corporate, Data,Building, Network)
VitalRecordsProgram
Utilities(Power, Water,Air, Waste, Telecom)
DisasterPrevention &
MitigationPrograms
LocationalResponse
Procedures
Company,Employee
Needs
EmergencyResponseProgram
ExternalCrisis
Communication(PR)
InternalCrisis
Communication(HR)
CrisisManagement
Plans
CrisisManagement
Program
BusinessUnit andProcess
Plans
NetworkPlans
(Data, Voice, Video)
ComputingPlans
(Mainframe, PC,LAN/WAN)
TechnologyPlans
LocationalFacilityPlans
Contingency Plans
(Response, Recovery,Resumption, Restoration)
Trainingand
Awareness
Exerciseand
Maintenance
BusinessContinuityProgram
ACE USACopyright© 2011 ACE
Disaster Prevention & Mitigation
Prevention Aspects
Implementation of Controls
Training & Awareness of Personnel
LossControlProgram
.
PreventiveMaintenanceProcedures
SecurityPrograms
(Corporate, Data,Building, Network)
VitalRecordsProgram
Utilities(Power, Water)
DisasterPrevention & Mitigation
Programs
ACE USACopyright© 2011 ACE
Emergency Response Program
Plans & ProceduresDamage Assessment
Activation of Disaster Team
1st response to any emergency– Local Emergency, Police,
Fire, HAZMAT– Employee Safety
Locational
Response
Procedures
Company,
Employee
Needs
Emergency
Response
Program
ACE USACopyright© 2011 ACE
Crisis Management Program
Plans & ProceduresPublic Relations
– Media – Community– Govt. Agencies
Employee Communications
ExternalCrisis
Communication(PR)
InternalCrisis
Communication(HR)
CrisisManagement
Plans
CrisisManagement
Program
ACE USACopyright© 2011 ACE
Contingency Plans
Response, Recovery, Resumption, Restoration Plans & Procedures
Business Units & Processes
Identification of Interdependencies
Business Unitand
Process Plans
Network Plans(Data, Voice, Video)
Computing Plans(Mainframe, PC,
LAN/WAN)
Technology Plans
Locational FacilityPlans
Contingency Plans(Response, Recovery,
Resumption, Restoration)
ACE USACopyright© 2011 ACE
Exercise & Maintenance
1. Enforce quality assurance & change management
Trainingand
Awareness
Exerciseand
Maintenance 2. Implement progressive exercise program
3. Coordinate lessons-learned from exercises
4. Coordinate full & unannounced exercises
5. Promote ongoing awareness & training
ACE USACopyright© 2011 ACE
Implementation - Critical Success Factors
Top Management Commitment
Resource Allocation
Regular Exercises
Documentation
ACE USACopyright© 2011 ACE
Key Points
BCP Is a Critical Element of Risk Management Process
BCP Will Only Succeed If Critical Risks Are Identified & Prioritized
Risk Mapping Can Be Effective Tool for Risk Identification
ACE USACopyright© 2011 ACE
Questions
ACE USACopyright© 2011 ACE
Thank you.
