William Pollock Snr VP

William PollockSnr VP & National ManagerMRC-Risk Services Melbourne

Maintaining Operations in the Face of Unexpected Loss

New Realities in Business Continuity Management

Marsh 2

General Overview - MRC

Management Consulting Division of Marsh

Global Representation

Principal focus - To provide risk solutions to clients

Multiple portfolios / services / operating synergies

Marsh 3

BCM - A Viewpoint

BEING PROPERLY PREPARED IS A COMPLEX SCIENCE

Marsh 4

AN OPINION

MURPHY’S LAW STILL EXISTS - BUT WE DON’T HAVE TO MAKE IT EASY FOR HIM

WE CAN NEVER COVER ALL THE BASES ALL OF THE TIME - BUT GOOD BCM CAN KEEP YOU IN THE GAME

“WINGING IT” IS FOR THE BIRDS - AND SHOULD BE AVOIDED OR

BECOME AN ACTION OF LAST RESORT

IT USUALLY ONLY WORKS WELL:¯ IN THE MOVIES OR

¯ IF YOU ARE ALL GOING IN THE SAME DIRECTION AND READING THE SAME SCRIPT - (ie GOOD BCM)

Marsh 5

BCM - What Does It Mean?

DEFINITION:

The development, maintenance and implementation of strategies; plans and actions to ensure the continued availability of critical business processes and services

It includes:

–pre-empting the impact of an incident / crisis

–responding to the incident / crisis

–implementing contingency / continuity plans

–stabilising / recovering critical functions

–resuming / restoring normal operations

Marsh 6

BCM – What are the Drivers?

Legislation / Regulations / Statutes / Standards / Government Reports

– ASX Corporate Governance guidelines,

– CLERP 9

– APRA - Australia (GPS 222)

– Sarbanes Oxley in the USA,

– Australian Standards Handbook HB 221 - Business Continuity Management

Precedents / Royal Commissions / Senate Inquiries / Parliamentary Inquiries

Increasing Litigation / Speed of Communication / Investigation / Observations

Customer, employee, stakeholder and supplier expectations

Marsh 7

BCM - WHAT IS REALLY DIFFERENT

COMMUNITY IS BECOMING INCREASINGLY MORE AWARE

EXPECTATIONS ARE HIGHER

LEVELS OF TOLERANCE ARE DECREASING

ENVIRONMENT IS BECOMING INCREASINGLY MORE COMPLEX**

PERCEPTIONS CAN “CAUSE DAMAGE”

RULE OF PRECEDENT

Marsh 8

BCM - why do it?

General Findings:

43% of businesses experiencing major disasters never re-open

29% close within three years

< 50% of organisations have business recovery plans and at

least 90% never test the plans

75% of businesses are UNABLE TO FUNCTION without IT

support within 14 days

“recovery time” is invariably underestimated

“costs” of recovery not always recovered by BI

Marsh 9

Why is the Plan itself – so important?

– regulated requirement

– specific response capability vs risk profile vs time

– optimisation of response & recovery strategy

– pre-determined allocation of resources / equipment

– focussed preparation / implementation / training

– enables assessment of specific capabilities and preparedness against known risk / incident type

Business Continuity Plan

Marsh 10

Business Continuity Management

How do we go about it?

Marsh 11

BCM definitions:

Emergency Response

Crisis Management

Crisis Communication Management

Business Continuity Plan

Disaster Recovery Plan (DRP)

Business Continuity Management

Marsh 12

What are YOU trying to do?

Prevent the problem

Fix the problem

Manage Issues & Implications

Recover and Continue from the event

Protect the Enterprise

Act diligently

Marsh 13

Business Continuity Management (BCM) Marsh Integrated Approach

Policy

Crisis Management&

Communication

RecoveryStrategies

Training/Awareness

BIA / Risk Assessment

EmergencyResponse

EnterpriseValue

Marsh 14

ALTERNATIVE

OPTIONS(RECOVERY (RECOVERY

RESOURCES)RESOURCES)

BUSINESS

OPERATIONS

Recovery Recovery OptionsOptions

ACTIONS COMMUNICATIONS

Recovery Recovery PrioritiesPriorities

Recovery Procedures

Recovery Time Objectives

Critical Business Processes

Plan development - Step by Step Process

Marsh 15

BCM – A Development Perspective

Some questions:

What is the actual composition of the impacted activities?

What are the critical elements / processes / areas of dependency associated with the impacted activities?

Where are the bottlenecks and / or key points of failure associated with the impacted activities?

Where does your office / function / organisation sit within the “greater” network

Are there any factors or 3rd party disturbances - outside your control - which could directly / indirectly affect the recovery efficiency of the impacted activity?

What are the precedents? How can you minimise impact on recovery? How do you retain control?

What level of pain are you prepared to carry before it detrimentally affects the objectives of the business function and its subsequent recovery?

Marsh 16

What happens when a key process is overloaded / disrupted?

Marsh 17

BCM DevelopmentSome Practical Considerations – Think PROCESS !!!!

Mission critical activity:– Financial and non-financial impacts

– Recovery Time Objective (RTO) & Recovery Point Objective (RPO)

– Critical processes / interdependencies identified & prioritised

– Minimum level of resources identified - phased over time

– Key people / teams identified; trained; notified; activated; tasked

– Business recovery – linked to – IT system recovery / Hot Site !!!!!

– Key documents backed up & stored off site

– Expectations of Key stakeholders

– Constraints under which the mission critical activities need to operate

– Recovery priorities & acceptable levels of redundancy identified & confirmed

– Audit; review, train and test

not an exhaustive or prescriptive list

Marsh 18

Coffee Break

Marsh 19

The World Trade Center had two 110-story buildings, known as the "Twin Towers" and five smaller buildings.

• Tower One was 414 meters tall.

•Tower Two was 412 meters.

• Built of aluminum and steel.

• The foundation of each tower extended more than 70 feet below ground, resting on solid bedrock.

• Each tower consisted of 104 passenger elevators and 21,800 windows.

• About 50,000 people worked in the complex, which housed the offices of more than 430 businesses

Marsh 20

Marsh 21

Indicative Incident Response

Evacuation

Setting up an information centre, to register employees and make an inventory of missing or wounded people

Care for employees; families and victims; community

Setting up communication and IT networks

Creating alternative office space

Managing / Recovering day to day business

Security

not an exhaustive list

Marsh 22

Merely Identifying Risks is Not Enough

At Corporate level:

many companies completed a risk assessment report to Turnbull or other Corporate Governance requirements - went no further or “believed” controls “in place” were adequate

Insurance was obviously vital for the businesses affected but it was evident that insurance was not enough to ensure continued operation.

Risk Control is only the starting point - a waste of time unless meaningful follow-up action is taken

Marsh 23

Some BCM Findings-General Market

– Processes Inability to locate key personnel - after evacuation

poor security at secondary site

ill-defined secondary / alternate site transition

Inability to move to alternative locations with minimal disruptions to ongoing business

Inability to execute critical business functions in a timely manner

undefined alternatives in “supply chain”

Marsh 24

Some BCM Lessons - General market

Contingency Planning detailed plans - less effective logistical errors - common inadequate data recovery optimistic scenario planning

People

– plans assumed impact on premises / functions

– BUT people skills / intellectual knowledge / resources still available.

People / intellectual property can and were lost Trauma needed to be managed Ability to handle stress and trauma is not always directly

associated with seniority

Marsh 25

Some BCM Lessons-General Market

Logistics inadequate security for affected offices / companies relocation of large numbers of traumatised people and / or

support teams involved in recovery impact of loss of personnel; services and logistics

associated with relocation

Crisis Management Confusion Secondary EOC - “outside” exclusion zone logistics - impaired efficiency / speed of EOC set-up / wide area issues need to be considered

Marsh 26


Telecoms

– businesses may not be able to rely on telecom networks in the event of a major emergency

– Examples: need to check for “choke points’

internet reliant firms saw websites down for days

other firms experienced massive surge on internet utilisation causing servers / routers to overload

Marsh 27


Reputation Management

– all actions in the gun-sight of the media - during and post incident

stakeholder management issues not always clearly defined; differentiated or managed appropriately

public expectations need to be taken into account corporate reputation; brand management moral issues are paramount eg:

compensation / medical / general insurance benefits / severance

trauma counselling / NOK

– Comparisons are inevitable - No Rules - unless international precedents considered

Marsh 28


Risk Identification - outside “Comfort Zone”

if “likely” look for “global precedents & parallels

do not be blinkered by “corporate / personal history”

do not avoid the “apparently insolvable” - there is usually a precedent

always debate the acceptance of risk and the associated recovery strategy - they do change with time

Marsh 29

What Is Different

Strategic Re-Assessment of BCM fundamentals multiple and concurrent points of failure in critical

systems increased awareness of integration of “knowledge” and

systems human element + logistics vs technology geographical impacts (local-regional-global) supply chains / fish-bones redundancies vs interdependencies cross - industry impacts increased regulatory scrutiny

Marsh 30

References – post 9/11

Text sourced from “global continuity.com”

– incorporating findings from McKinsey; Gartner; Dataquest;

Marsh

PWC

Financial Review

William Pollock Snr VP

Documents

Transcript of William Pollock Snr VP