National Fire Protection Association’s -...

National Fire Protection Association’s

Contribution to

Business Continuity Strategies

about me

2

1. Retired AVP Senior Business Risk Consultant

2. FM Global Trained: 1. 35 Years Service

2. Founder Member of the Business Risk Consulting Group (BRCG) for FM Global.

3. Senior Account Engineer with Arkwright International/FM Global

4. Field Engineer/Account Engineer with Factory Mutual International (FMI)

3. Industrial Experience

1. Servicing FM Global’s Corporate Clients from Account Engineering & BRCG responsibilities.

2. Conducted Business Impact Analysis (BIA) for pharmaceutical, mining, manufacturing, media,

financial services, defence, medical, chemical, power generation…industries.

3. Quantified financial risks for company’s internal & external global supply chains

4. Contributed to Business Continuity training programmes & seminars

5. Reviewed Business Continuity Plans for FM Global clients

4. Professionally Qualified to Masters Degree Level 1. Member Chartered Management Institute (MCMI)

2. Chartered Chemical Engineer (CEng)

3. Fellow Institution of Chemical Engineers (FIChemE)

4. Certified Business Continuity Practitioner (CBCP) DRII (Member Lapsed)

5. Affiliate Member of Business Continuity Institute (BCI) (Current)

3

Business Continuity Management Survey

of 1,021 Managers from the

Chartered Management Institute

2007-2012

the introduction

4


Chartered Management Institute 2007-2012

% Managers

Anticipating

Specific Causes

of Disruption

the introduction

0% 10% 20% 30% 40% 50% 60% 70% 80%

School/childcare closures

Pressure group protest

Industrial action

Customer health/product safety incident

Environmental incident

Supply Chain disruption

Transport disruption

Employee health and safety incident

Loss of water/sewerage

Malicious Cyber Attack

Negative publicity/coverage

Extreme Weather (Flood/Winds)

Terrorist Damage

Damage to Corporate image/brand/reputation

Loss of Electricity/Gas

Fire

Loss of People

Loss of Skills

Loss of Access to Site

Loss of Telecommunications

Loss of IT

5



the introduction

0% 10% 20% 30% 40% 50% 60% 70% 80%



Industrial action










Terrorist Damage



Fire

Loss of Skills

Loss of People



Loss of IT

% Managers

Actual

Specific Causes

of Disruption

6



the introduction

0% 10% 20% 30% 40% 50% 60% 70% 80%



Industrial action










Terrorist Damage



Fire

Loss of People

Loss of Skills



Loss of IT

Anticipated Actual

7

12 month record of,

number and impact

by cause of

disruptive incidents

(2011-12)

the introduction

8

% of Organisations with Business Continuity Plans 2002-12

the introduction

9

the introduction

1. The actual cause of a “major” disruption cannot be

reliably predicted at any one time, hence the adopted

measures of “likelihood” and/or “probability” of

occurrence.

2. The meaning of a “major” impact to a business has

different significance, depending on who is asked.

3. The gradual increase in Business Continuity Plans is

primarily being attributed to corporate governance,

legislation/regulation and customer demands.

Summary of Key Findings:

10

my objectives

1. To briefly summarise the origins of the NFPA business continuity

standard and to review the approach as a “concept for business

survival”.

2. To outline a bespoke Business Impact Analysis (BIA) which can align

Business Continuity activity with the entity’s business requirements.

3. To explore where NFPA’s fire protection and business continuity

activities could contribute to the continuity strategies for a company’s

overall Business Continuity Management Systems (BCMS) programme.

11

my objectives

What this presentation is NOT:

1. A debate on all Business Continuity standards.

2. A discussion on risk probabilities.

3. A detailed financial analysis of a company

4. A preparation of a Business Continuity Plan.

5. A “worst-case scenario” study of an incident in a particular industry

6. A full list of Business Continuity definitions.

7. A complete description of what is required for a Business Continuity

Management System (BCMS), or the BCM Life-Cycle

8. A review of Emergency Management/Disaster Recovery systems

12

1. Business Continuity’s Development

a. the origins

2. Bespoke Business Impact Analysis

a. the concept

b. the activity

c. the analysis

d. the benefits

3. Business Continuity Strategies

a. the summary

b. the conclusion

the agenda

13

• Codes and Standards Numbered: NFPA 1 thru NFPA 8506

• “Established in 1896, NFPA develops, publishes, and

disseminates more than 300 consensus codes and

standards that are designed to minimize the risk and effects

of fire by establishing criteria for building, processing,

design, service, and installation in the United States, as well

as many other countries.

• Virtually every building, process, service, design, and

installation in society today is affected by NFPA documents.”

the origins

NFPA’s Contribution to Fire Protection, Health and Safety

14

NFPA’s Contribution to Fire Protection, Health and Safety

the origins

Timeline Status

1995 • NFPA 1600 issued as first standard on disaster/emergency response

2000 • Updated to include “Total Programme Approach”

2004 • Updated terminology and reformatted text

2007 • Expanded conceptual framework for disaster/emergency management & Business Continuity programmes.

• Prevention, risk management, security, loss prevention

2010 • Reordered & expanded Programme Management. • Addressed planning, implementation, testing & exercising, programme

improvement • Required Business Impact Analysis

2013 • Wide array of changes. • Alignment with CSA Z1600 & DRII Professional Practices

15

the origins

NFPA 1600

Purpose Application

Business Continuity adoption:

• Predominant standard for US & Department of Homeland Security. (DHS).

• Used in Europe, Latin America, Asia, Chile, China, Colombia, Ecuador, Korea, Thailand T&T.

Primary Focus: Mid-size to large public not for profit and private sector organisations

Primary objective: High level standard defining the essential elements of an emergency management and business continuity program .

Strategic Objectives based on:

• Prevention & mitigation of vulnerabilities to people, property, environment, business enterprise.

• Programme constraints, operational experience and cost benefit analysis from detailed analysis of all threats, hazards & causes .

Overall Outcome Procedures for documenting responses primarily according to laws and regulations.

“Disaster/Emergency Management. An ongoing process to

prevent, mitigate, prepare for, respond to, maintain continuity

during, and recover from an incident that threatens life, property,

operations, or the environment.

Business Continuity. An ongoing process to ensure that the

necessary steps are taken to identify the impact of potential

losses and maintain viable recovery strategies, recovery plans,

and continuity of services.”

NFPA/DRII Definitions

the origins

Disaster/Emergency Management & Business Continuity Auditor Training

17

the origins

NFPA 1600 IS A BCM STANDARD …

1. …emphasising programme policies and management components, provides

guidelines that address the analysis, planning and implementation of the core

elements of crisis management, business resumption planning and IT disaster

recovery to manage the impact of disasters.

2. …legal compliant but less concerned with the business requirements of the entity

18

the origins

NFPA 1600 IS A BCM STANDARD …

1. …emphasising programme policies and management components, provides

guidelines that address the analysis, planning and implementation of the core

elements of crisis management, business resumption planning and IT disaster

recovery to manage the impact of disasters.

2. …legal compliant but less concerned with the business requirements of the entity

3.3.3 Business Impact Analysis.

A management level analysis that identifies, quantifies,

and qualifies the impacts resulting from interruptions or

disruptions of an entity’s resources.

The analysis may identify time-critical functions, recovery

priorities, dependencies, and interdependencies so that

recovery time objectives can be established and

approved.

the origins

NFPA® 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2013 Edition

5.3.2 The BIA shall evaluate the potential impact resulting from interruption or disruption of

individual functions, processes, and applications.

5.3.3* The BIA shall identify those functions, processes, infrastructure, systems, and

applications that are critical to the entity and the point in time [recovery time objective

(RTO)] when the impact of the interruption or disruption becomes unacceptable to the

entity.

5.3.4 The BIA shall identify dependencies and interdependencies across functions,

processes, and applications to determine the potential for compounding impact in the

event of an interruption or disruption.

5.3.5* The BIA shall evaluate the potential loss of information and the point in time

[recovery point objective (RPO)] that defines the potential gap between the last

backup of information and the time of the interruption or disruption.

5.3.6* The BIA shall be used in the development of recovery strategies and plans to support

the program.


the origins

the origins

NFPA 1600 States the BIA should include 3 main components:

1. Identify the lines of process flow (i.e., material flow, information flow,

people movement, cash flow) and time constraints.

2. Identify the interruption potentials that describe the financial,

regulatory, customer, or operational impacts.

3. Identify the entity’s dependency on technology infrastructure.


Typical observations from my review of Business Continuity Plans:-

1. Plans lacked strategic direction from a Senior Management

Business Continuity Policy.

2. Plans had no documented ownership, or demonstrated practical

support, by appointed Senior Management at Board Level

3. Plans not aligned with business requirements:

a. lacked business objectives,

b. omitted customer requirements,

c. ignored market demands to maintain a key customer base,

d. omitted actions to assure delivery of products and/or services.

4. Plans predominantly based on “worst-case” scenarios identified

from specific causes of disruption and estimated time required to

repair damage and restore operations to normal levels.

5. Plans contained far too much detail and appeared onerous to

maintain current.

22

the origins

23

• the origins

• the concept

• the activity

• the analysis

• the benefits

• the summary

• the conclusion

the agenda

24

Business Continuity Survey Question What the Questions should have Asked

1. How will we do business if our critical systems are rendered inoperable?

How can we maintain delivery of our products/services to achieve survival income?

2. How can we resume operations quickly following a business disruption?

Within what time do we need to recover critical operations to achieve survival income?

3. Are there any particular vulnerable aspects to our business that we can eliminate as opposed to harden?

What strategy is required to reduce our dependency on internal and external critical activities?

4. What are the pieces of business that are so critical that a major investment in hardening or redundancy would be justified?

Which products/services must we deliver to key customers to maintain survival income during recovery of operations?

5. Despite taking proper precautions are we still vulnerable to disruption due to outmoded infrastructure in the region?

????

the concept

What is

wrong with

these

questions?

25

Business Continuity Survey Question What the Questions should have Asked

1. How will we do business if our critical systems are rendered inoperable?

How can we maintain delivery of our products/services to achieve survival income?

2. How can we resume operations quickly following a business disruption?

Within what time do we need to recover critical operations to achieve survival income?

3. Are there any particular vulnerable aspects to our business that we can eliminate as opposed to harden?

What strategy is required to reduce our dependency on internal and external critical activities?

4. What are the pieces of business that are so critical that a major investment in hardening or redundancy would be justified?

Which products/services must we deliver to key customers to maintain survival income during recovery of operations?

5. Despite taking proper precautions are we still vulnerable to disruption due to outmoded infrastructure in the region?

????

the concept

the concept

BUSINESS SURVIVAL IS PRIMARILY ABOUT MANAGING CASHFLOWS:

1. Maintaining optimum cash-flows over time during

periods of:

• …unplanned disruption to normal operations

• …recovery to product/services delivery “as usual”

2. Ensuring future growth in income by:

• …supporting present & future customers

• …development of future key markets

• …reflecting changes to the business environment

• …complying with legislation and regulation

the concept

MANAGEMENT MUST BE PRO-ACTIVE IN MANAGING CASHFLOWS:

Management need to…

• …establish business continuity objectives that must be achieved over time to

maintain sufficient cash flows for the business in the event of any disruption,

• …approve appropriate Business Continuity strategies to achieve the objectives

27

28

TIME IS MONEY!!

the concept

Minimum level of operation for business survival

Normal level of operation

Time

Serv

ice

Capacity

(Cashflow

)

100%

0%

Incident Response Plan

immediate short term

Phase 1

Disaster Recovery Plan

short to medium term

Phase 2

Business Continuity Plan (BCP)

medium to long term

Phase 3

Unplanned operational disruption & restoration

Decision to invoke BCP

Maximum Acceptable Outage (MAO)

Increasing size of incident

29

Business

Continuity

Strategy

Objective

the concept

30

…Management pre-determines what

needs to be managed right to

achieve the objectives…

the concept

31

Causes of Physical Disruption

Pre-Disruption Mitigating BC Strategies

Natural Catastrophes

• Earthquake • Enhanced structural design standards

• Tsunami • Height of tidal levees at susceptible locations

• Flood • Maintenance, dredging, adequate flood walls, barriers

• Windstorm, hurricanes, tornados

• Secure buildings & structures to National Standards • Adjust ground level gradients, add drainage

Operational Failure

• Loss of Equipment Alternate providers and/or shared resources

• Mechanical breakdown Regular maintenance, spare parts policy, duplication

• Property damage Fire sprinklers, water supply, fire walls, non-combustible construction, fixed extinguishers, hazard reduction

• Construction collapse Building design codes

the concept

32

Causes of Non-Physical Disruption

Pre-Disruption Business BC Strategies

Reduced Product Sales

• supplier solvency • product substitution, replacement, duplication, dual sourcing

• increased market

competition

• discount options, target specific markets

• end of product life-cycle • product mix, product churn, new product development

• out-dated business

model

• expand distribution channels (national vs international),

implement internet access, next day delivery….

Operational Failure

• obsolete equipment • phased replacement & updating, standardisation

• loss of key peoples skills • succession planning

• poor management

practises

• management team skills, Merger & Acquisition (M&A), take-

over

• regulation/legal violation • implement sound relationships with governing authorities

the concept

33

Consequences of Disruption Cost of Largest Single Disruption in Supply Chain

• Loss of productivity • Customer complaints received

Increased cost of working • Service outcome impaired • Loss of revenue • Damage to brand/reputation/image • Product release delay • Product recall/withdrawal • Payment of service credits • Share price fall • Stakeholder/shareholder concern • Delayed cash flows • Expected increase in regulatory scrutiny • Loss of regular customers • Fine by regulator for non-compliance

Total Cost

%

Survey Respondents

Greater than €1mill

€500,000-€1mill

€250,000-€500,000

€50,000-€250,000

<€50,000

9%

9%

19%

5%

59%

the concept

BCI Supply Chain Survey 2013

34

the concept

Stage 1: Understand the Business

• Management establish strategic business continuity objectives

– Agree minimum cash-flow required for survival.

– Identify key markets and customers essential to the business.

– Establish the Maximum Acceptable Outage (MAO) for key products

and/or service deliverables.

Stage 2: Develop Strategies for Survival

• Management approve measures for resilience.

• Management approve strategies for continuity.

Stage 3: Implement the Strategies

• Protect physical assets for internal & external resources.

• Enhance resilience of internal & external supply chains for key

deliverables, as required.

35

• the origins

• the concept

• the activity

• the analysis

• the benefits

• the summary

• the conclusion

the agenda

Sample

interdependency

flow diagram for

Corporate

products &

services

the activity

36

the activity

37

Niche Products Premium Products Commodity Products

Product Categories

Product Branding

Markets Served

Consumer Profiles

Sample Structure for a Company’s Product/Services

Firm Infrastructure – Assets & Resources

Management Philosophy

Information Technology & Communications

Business Continuity Management

Inbound

Logistics

Finished

Good or

Process

Control

Manu-

facturing or

Processing

Operations

Outbound

Logistics

Marketing

Sales &

Service

C

U

S

T

O

M

E

R

S

S

U

P

P

L

I

E

R

S

Profit

the activity

MISSION CRITICAL ACTIVITIES (MCA)

38

the activity

39

Understanding the Business Activity Focus

Marketing Sales, Sales Recovery & Customer Profiles

Finance Sales/Insurable Gross Profit/Business

Income

Operations Activity dependency on income stream at

each location

Suppliers & Purchasing Key product service dependency

IT/IS/ICT Dependency on information/data for

delivery

Business Continuity & Disaster

Recovery Management

Status and relevance for business needs.

• the origins

• the concept

• the activity

• the analysis

• the benefits

• the summary

• the conclusion…

the agenda

40

Sample Financial Dependency Matrix For 12 Months Trading

the analysis

41

42

the analysis

Market Recovery

Profile

Assumed Period of Disruption

Percentage of the product revenue anticipated in each year following restoration of

supply, as a percentage of the revenue in the year prior to

the disruption.

Year 1 Year 2 Year 3

3 months

6 months

9 months

12 months

15 months

18 months

21 months

24 months

Impact vs Time Recovery Profile for Strategic Income Streams

25%

50%

75% 100%

50%

65%

83%

0%

20%

40%

60%

80%

100%

120%

140%

160%

180%

200%

3 6 9 12

Months of Disruption

Ca

sh

-flo

w Im

pa

ct (%

An

nu

al I

nco

me

)

Production Impact Market Impact

the analysis

“Business Continuity

Strategic Objective”

mitigated impact

Business Continuity

Strategies

“Worst case” unmitigated impact

43

44

• the origins

• the concept

• the activity

• the analysis

• the benefits

• the summary

• the conclusion

the agenda

1. Understand the Business & Establish Continuity Objectives The Business Impact Analysis establishes bases for key continuity objectives:

Product delivery criteria (MAO) for strategic market & income streams,

Identifies critical dependencies through internal and external supply chains

Identifies “Mission Critical Activities” (MCA) for resources, activities and processes,

Quantifies the financial dependency on internal & external resources & suppliers

2. Continuity Strategies Pre-plan strategies required to achieve continuity objectives:

Know what options are required to achieve optimum cash-flow

Identifies “What needs to be managed right” to achieve objectives

Protects key physical property assets from physical damage

Reviews options to enhance resilience of critical activities and key suppliers

the benefits

45

the benefits

1. Costs for Business Continuity Strategies are spent where there is added value:

Enhances the business of the company through improved resilience

Improves & enhances alignment with normal business requirements

Protects critically dependent physical assets within the supply chains

Achieves minimum cash-flow for the business, whatever the cause of the

disruption may be.

Costs incurred can enhance normal business practise.

2. Integrating Business Continuity Management Systems supports Management:

Improves product and/or service delivery to the company’s customer

Reduces costs of business continuity

Provides competitive advantage for the business from demonstrating added

resilience.

46

47

• the origins

• the concept

• the activity

• the analysis

• the benefits

• the summary

• the conclusion

the agenda

48

How can NFPA make a contribution to Business Continuity Strategies?

the summary

“NFPA 1600 & 13 Codes & Standards provide a consistent quality standard for a

company to achieve strategic Business Continuity objectives….”

1. What information should be gathered in a BIA to establish strategic objectives.

2. Guidance for management to assess what strategies should be implemented to

achieve the strategic objectives.

NFPA 13 contributes to Business Continuity strategies by:

1. Providing a quality standard for the implementation of physical protection where

required as a solution for identified Business Continuity strategies.

NFPA 1600 contributes to Business Continuity strategies by advising on:

49

• the origins

• the concept

• the activity

• the analysis

• the benefits

• the summary

• the conclusion

the agenda

50

The National Fire Protection Association’s Business Continuity

activities and expertise directly support a company’s business

continuity strategies through:

a) The specification of the content requirements of a

Business Impact Analysis in NFPA 1600.

b) Offering qualified expertise and quality products and

services through NFPA 13 where the protection of

physical assets is deemed a solution to a continuity

strategy.

the conclusion

51

I have:

1. Summarised findings from a Business Continuity survey

2. Briefly explored the origins of the NFPA’s Business Continuity Standard

and appropriateness as a “concept for business survival”

3. Described a BIA process which can help establish business continuity

strategic priorities and objectives that will enhance the delivery of the

entity’s products and services as an aid to business survival.

4. Identified where NFPA’s core competences in the development of

specific Codes and Standards can be applied to support an entity’s

business continuity strategies

the conclusion

52

Causes of Business Disruption

Sample Cash-flow BC Strategies




competition




model



Operational Failure

• obsolete equipment • phased replacement & updating,


• poor management

practises


over


one final thought

53

Causes of Business Disruption

Sample Cash-flow BC Strategies




competition




model



Operational Failure

• obsolete equipment • phased replacement & updating,


• poor management

practises


over


one final thought

Thank You

for Listening

([email protected])

National Fire Protection Association’s -...

Documents

Transcript of National Fire Protection Association’s -...