Business Continuity ManagementBusiness Continuity Management

Scenario Planning Vs Resource Loss PlanningScenario Planning Vs Resource Loss Planning(Old School Thinking Vs New School Thinking)(Old School Thinking Vs New School Thinking)

by Saul Midler (MBCI)by Saul Midler (MBCI)

Agenda:IntroductionRisk Reduction via scenarios(Old School)Business Continuity via Resources (New School)

© Linus ISS 2007

Foundation StoneFoundation Stone

Disasters don’t cause business to fail

Business fail due to poor or non-existent:ProceduresCapabilityExercising

Risk Mitigation only reduces the likelihood of a disruptionThere will always be a residual risk

Introduction

© Linus ISS 2007

ProofProof

Consider 9/112,800 DIED and 185,000 workers lost their JOB* including:

- 7,300 in IT- 3,000 in Accounting- 3,000 in Insurance- 2,200 in Commercial Printing

320 companies did not reopen for business The Survivors include:

- Cantor Fitzgerald lost 658 staff - resumed operations 2 days later- Marsh & McLennon: 3,200 staff over 8 floors- Morgan Stanley: 3,500 staff over 17 floors- NY Port Authority: 2,000 staff over 23 floors

* Fiscal Policy Institute Nov 5, 2001

Introduction

© Linus ISS 2007

WhatWhat’’s the likelihood?s the likelihood?

Research took place in March 2007 by: The Chartered Management Institute (UK), supported by Continuity Forum and the Civil Contingencies Secretariat within the Cabinet Office England

Causes of operational disruption to organisations in the past 6 years

© Linus ISS 2007

Conclusion?Conclusion?

Disruptions do and will happen

This is why preparation is so important

Preparation = Risk Reduction + Business Continuity

Introduction

© Linus ISS 2007

Preparation = Risk Reduction Risk Reduction + Business Continuity

© Linus ISS 2007

What is Risk?What is Risk?

There is Risk in everything we do

Some activities don’t greatly concern usCrossing the roadRiding a motor bike Going on a date

Some activities do concern usInvesting moneyExtreme sportsBusiness management

If the risk is too greatWe need to mitigate the risk or reduce the exposure

Definition:The chance of something happening that will have an impact upon objectives. It is measured in terms of consequence and likelihood

Risk Reduction

© Linus ISS 2007

Business Risk in ContextBusiness Risk in Context

BCMBCM

Risk means different things to different peopleto understand it, you need to put it into context with definition

Risk is very broad – what is our focus?Legal Liability (eg exposure to litigation – faulty products)Political/Regulatory (eg policy sensitivity)Financial/Market (eg risk of credit defaults)Mergers and Acquisitions (eg undisclosed contingent liabilities)Corporate Governance (eg breaches of regulations)Experimentation (eg new product or process, R&D activity)OH&S (eg ensuring worker safety)Market Sector (eg Emerging competitors, new technology)Operational (dependency on Resources and processes)Other…..

Risk Reduction

© Linus ISS 2007

Where does RM sit Where does RM sit wrtwrt BCM BCM

Other…Risk Assessment

Mitigate

BCMBCM

Accept

Risk Assessment

Physical & Logical ResourcesBIA/RDA

Risk Evaluation… Consequences

Likelihood

Insignificant

1

Minor

2

Moderate

3

Major

4

Catastrophic

5

A (almost certain) C S H H H

B (likely) M C S H H

C (moderate) L M C S H

D (unlikely) L L M C S

E (rare) L L L M C

OperationalManagement

Political /Regulatory

Mergers &Acquisitions

Corp GovernanceLegal /Reputation OH&S

FinancialManagement

Accept?

Mitigate?

Risk Reduction

© Linus ISS 2007

Assess RiskAssess Risk

Likelihood (BCI: Probability) - Used as a qualitative description of probability or frequency.

RareE

UnlikelyD

ModerateC

LikelyB

Almost CertainA

DescriptorLevel

Catastrophic5

Major4

Moderate3

Minor2

Insignificant1

DescriptorLevel

Low RiskL

Moderate RiskM

Considerable RiskC

Significant RiskS

High RiskH

Consequence (BCI: Threat Impact) –The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain.

Risk Reduction

© Linus ISS 2007

ConsequenceConsequence

Usually this is straight forward and may be expressed as:

Loss: $1,000,000 per day

Injury: 12 people in Hospital, 4 people dead

Disadvantage: lost 12.5% of market share

etc

Risk Reduction

© Linus ISS 2007

LikelihoodLikelihood

Be careful when considering Statistical Probability:

This relies on: Large sample sizesBehavioural attributes that provide consistency

We need to be part Believer Customers will default on their Credit Card accountsThere will be a disruption due to fire

We need to be part ScepticAre statistics really going to predict the future

- eg 15% of customers never pay their Credit Card account- eg there is a 5% chance of having a fire this year

Likelihood tends to be emotional – how you feel about it!

Risk Reduction

© Linus ISS 2007

Why is this so difficult?Why is this so difficult?

BCM is an outcome from the Risk Assessment, however:

BCM should not be:undertaken as a Risk Management taskdriven by Risk Management philosophy or methodology

Risk Assessment is about:Reducing exposure to something that might happenPREVENTION

Business Continuity is about:Recovering from something that does happenCURE

Risk Reduction

© Linus ISS 2007

What are we actually assessing?What are we actually assessing?Risk Assessment:

Evaluation of an event happening that will cause a problem

Risk Managers consider the likelihood of events such as:Industrial Action Fire FloodEarthquake Power failure StormGas tanker explosion SARS Influenza PandemicStrike Hacking Malicious damageTerrorism Legionella etc etc etc

Risk Management:Reduced likelihood of each event causing a problemCan they reduce the likelihood to Zero? NO, there will be residual Risk?

Risk Managers:think of Scenarios – “What if something happens?”implement mitigation strategies

Scenarios rely on experience and imaginationThe irony is that the possibility exists that they can’t think of everything!

Risk Reduction

© Linus ISS 2007

Preparation = Risk Reduction + Business ContinuityBusiness Continuity

© Linus ISS 2007

What is Business Continuity Management?What is Business Continuity Management?

Effective BCM ensures that your organisation:

has a level of operational resilience appropriate to support the needs of the business as defined by the corporate objectives

has the capability to continue to provide its customers with critical services and products regardless of any operational disruption

maintain appropriate management practices as ‘business as usual’ to ensure that its Business Continuity capabilities always reflect the needs, technology and structure of the business

BCM = Business Driven + Continuity Capable + Management Discipline

Business Continuity

© Linus ISS 2007

The PhilosophyThe Philosophy

When disaster strikes:a business function ceases to produce its outputthe recipient of the output suffers painthe organisation then suffers pain (or goes out of business!!)

Q: Why can’t the output be produced? Think of Cause and Effect - Remember: Disasters don’t cause businesses to fail!!

A: Because one or more RESOURCES are not available

What are Resources?assets that must be available to enable a Business Function to operate and produce its output include computer software, personal computers, telephones, information itself, paper files, pre-printed forms, IT, Network drive, fax machine, skilled staff, machinery, equipment, accommodation, third-party organisations etc.

Business Continuity

© Linus ISS 2007

The Philosophy cont.The Philosophy cont.

How do we stop a disruption from becoming a disaster?Risk Management cannot reduce the risk to zeroNeed to invoke procedures:

- based on business driven restoration priorities- to work around the Resource loss until the Resources are available- to repair or replace the unavailable Resources with respect to:

o Destination (if we have to leave the site)o Quantities

What scenarios will this support?WHY DOES IT MATTER????More than you can imagineALL that result in Resource Loss

Why?Think of Cause and Effect - Remember: Disasters don’t cause businesses to fail!!

The cause of the Resource loss is irrelevant to its replacement

Business Continuity

© Linus ISS 2007

New School ThinkingNew School Thinking

Business Manager defines RTO for the Business Functions

When should the Business Function restart at an acceptable level of capacity?

BIA Business Function RTORestoration Priority Sequence for the business

Business Staff defines Business Resources and their Survival Profiles

What is the acceptable level of capacity? Business Resource RTO and Quantities over time

Restoration Priority Sequence for each Resource

RDA

BIA

Res

ourc

e D

epen

denc

y A

naly

sis

Business Continuity

Business Resource

RTO = 10d

Business Resource

Business Resource

RTO = 3d

Business FunctionRTO = 10d

Business Function

RTO = 3d

InfrastructureResource

Infrastructure Resource

RTO = 2d

Infrastructure Resource

Support Resource

RTO = 3d

Support Resource

Support Resource

RTO = 2dBusiness FunctionRTO = 15d

© Linus ISS 2007

New School ThinkingNew School Thinking

SDBy the RTO:

Where to relocate IRHow to repair or replace IROptions & Costs

Str

ateg

y D

evel

opm

ent

Business Function RTORestoration Priority Sequence for the business

Business Resource RTO and Quantities over time

Restoration Priority Sequence for each Resource

Support Resource RTOBUSINESS determines RTO of IT systems (not ITD)

Infrastructure Resources RTO

BUSINESS determines RTO of IT Infrastructure (not ITD)

Where to relocate SRHow to repair or replace SROptions & Costs

SDBy the RTO:

How to repair or replace BROptions & Costs

SDBy the RTO:

Where to relocate BFWhat BF work aroundsOptions & Costs

SDBy the RTO:

Business Continuity

© Linus ISS 2007

New School ThinkingNew School ThinkingS

trat

egy

Impl

emen

tatio

n

Prioritised Recovery (in RTO) of:Business FunctionsResources (Business, Support & Infrastructure

Contingency Procedures for Business Function:

RelocationWork arounds

Resource Recovery Procedures for:Business ResourcesSupport ResourcesInfrastructure Resources

Where to relocate BFWhat BF work aroundsOptions & Costs

How to repair or replace BROptions & Costs

Where to relocate SRHow to repair or replace SROptions & Costs

Where to relocate IRHow to repair or replace IROptions & Costs

Business Continuity

Pro

cedu

re D

evel

opm

ent

© Linus ISS 2007

Advanced New School ThinkingAdvanced New School Thinking

Prioritised Recovery (in RTO) of:Business FunctionsResources (Business, Support & Infrastructure

Contingency Procedures for Business Function:

RelocationWork arounds

Resource Recovery Procedures for:Business ResourcesSupport ResourcesInfrastructure Resources

When we get there;What do we needHow manyBy when

Destination ResourceAnalysis

Business Continuity

© Linus ISS 2007

Key MessagesKey Messages

Preparation = Risk Reduction + Business Continuity

When considering Operational Disruption:Risk Management = PreventionBusiness Continuity Management = Cure

Disruption = Loss of somethingSeparate Cause from Effect

When considering StrategiesScenarios are infinite Resources are finite

RDA = New School thinking

DRA = ANDVANCED New School thinking!!

?