davidkayeWDCM2006 1
Business Continuity Management
New Challenges, New Vision, New Ideology
davidkayeWDCM2006 2
The talk objectives
the challenges in looking forwardreal risks to resiliencedemands on the business continuity processmanaging the the business resilience expectation
davidkayeWDCM2006 3
Pressures for change
New incidents and new impacts– man made and natural
regulatory and market interestnew technological opportunities within BCM itself21st century business models and their challenges
davidkayeWDCM2006 4
“A risk”
a risk is the threat that an event or action will adversely affect an organisation’s ability to maximise stakeholder value and to achieve business objectivesrisk arises as much from the possibility that opportunitieswill not be realised as it does from the possibility that threat will materialise or that mistakes will be made.a risk however is integral to all opportunity and is as much about opportunity as it is about threat.
davidkayeWDCM2006 5
Dominant risk issues
The top 10:– 1: loss of Reputation – 2: business interruption– 3. failure to change– 4. product liability/tamper– 5. impact of regulation and legislation
• Source: Risk management and Financing Survey 2005 AON
davidkayeWDCM2006 6
Strategic risk challenges
The art of management consists of issuing orders based on inaccurate, incomplete and archaic data, to meet a challenge which is dimly understood and which frequently be misinterpreted; to accomplish a purpose about which many of the personnel are not enthusiastic. General William Reader
then……..
davidkayeWDCM2006 7
The hollow company
The ingredients?– the brand or brands– other intellectual assets– basket of supply chain contracts including
front-office– legality– controls– technical ability to deliver immediacy
davidkayeWDCM2006 8
Risk management context• Risk evaluation: exposure and impact
• acceptable risks and unacceptable risks• financial cost: single and multiple events• human cost• operational dependencies and time out
• toolbox• reduce the risk to acceptable levels• reduce the impact to acceptable levels• transfer the risk and/or impact• prepare to finance losses• contingency management
davidkayeWDCM2006 9
Failed scenario settingSt Mary Axe BombHurricane KatrinaUK House prices early 1990sStock market falls early 2000TsunamiWorld Trade CenterBuncefield Oil Storage Depot UKChernobyl, BelarusPiper Alpha, North SeaAuckland Power failureIraq warAfghanistan todayetc. etc. etc etc.
davidkayeWDCM2006 10
Stakeholders: before and after
Employees “Value chain” suppliersCustomers “ Value chain” distributorsRegulators MediaPrivate investors Rating agenciesQuoted investors Investor advisorsBankers/financiers The environmentCurrent Competitors Potential competitors
davidkayeWDCM2006 11
A snapshot of some individual risks
davidkayeWDCM2006 12
Computer “workarounds”
Large number of trained staffinstantly mines product and client informationnew online and speed expectationscredibility in standards and the audit trailembedded formulaeallows authorised access to informationsecures sensitive informationmacro and micro communications
davidkayeWDCM2006 13
Outsourcing
The supplier as a stakeholderthe supplier as a critical delivererthe supplier in crisis - value of lawyers?the principal in crisis - supplier reaction?workforce control and diversion
davidkayeWDCM2006 14
Outsourcing risks
Failure to deliver, of course– on time, in quantity and quality
destruction of the brandowned and rented intellectual assetstechnological, physical and legal ability to read datacontinuity plan tick boxcontingency service level agreement?
davidkayeWDCM2006 15
Internationalism
political and legality risksrisks of naturecultural differencesspeed and quality of responseimplementing group wide standards
davidkayeWDCM2006 16
Intellectual assets
Brand values databasessoftwares employee intellectemployee skills licensespaper files regulatory approvalslegality domain namesresearch patentsmarket position competitor gapwide stakeholder confidence
– Many of these are owned by third parties and rented!
davidkayeWDCM2006 17
e-commerce
B2B and B2C dependenciessecurityhigh reward - high risk environmentspeed and scale of impactmanaging expectationsmanaging product recalls?
davidkayeWDCM2006 18
Regulatory and licence risks
seen to be in control– normally– during a crisis
audit trail is a crucial dependencylegality and other licencesfastest way to die?
davidkayeWDCM2006 19
the role of the insurer
values - where needed:• spread of unacceptable financial losses• expertise and discipline• claims handling
but does insurance provide• immediate needs to stay in business?• Critical arteries insurable?
most important bits excluded
davidkayeWDCM2006 20
The Business Impact Analysis
davidkayeWDCM2006 21
The business impact analysis
What it really isbusiness impact analysis v the risk analysisownership of risks and risk decisionmakingempowering the service supplier and service user relationshipsprobability
davidkayeWDCM2006 22
Discussion : Catastrophic impact
-Loss of regulatory or licence approval-service delivery fails for one day or more-media attack-loss of confidence in brand name by the general public-loss of confidence in the brand name by shareholders-financial loss of:– Capital (say) above $1,000,000– group targets 25%
-credit rating fall one full level-unacceptable risk of life
davidkayeWDCM2006 23
Business Impact analysis arenas
market machinery, technology and servicesgroup wide machinery, technology and servicesdepartmental machinery, technology and servicesloss of building workstations and equipmentfailure within the supply chain or distribution chainloss of access to intellectual assetsspecifically, information on paperloss of individuals and teamsother stakeholder dependencies
davidkayeWDCM2006 24
Decisions from BIA
understand risk and the likely impact taking ownership of risk and risk decisionsdecide:– which exposures are unacceptable?– dependencies to be protected and/or duplicated– what does continuity planning need to protect
and address?
davidkayeWDCM2006 25
Case studies
Motabilitylife insurance paper filescomputer codesintellectual assetssupply chain failurescomputer back up frequencies and failuresempowering IT manager to spenddependencies on individualsWorld Trade CenterBuncefield denial of access
davidkayeWDCM2006 26
Business Continuity Plan
Ingredients and uses
davidkayeWDCM2006 27
Heads on chickens
gold - power, priorities, authorisation, monitoring and media
silver - hands-on, co-ordination,resources and control
bronze - communication,local co-ordination
davidkayeWDCM2006 28
hurdlesPolice barriers and denial of access, including ‘scene of crime’ constraintsinsurersregulatorsmediaboard wish to take opportunities to re-engineer staff responsescustomer and competitor reactionservice supplierscreditors and bankerscustoms and exciseplanners and wider environment constraints group directors and other rambos
davidkayeWDCM2006 29
Suppliers plans
special challenges of credibility managing business change SLA for failure?whom do their plans protect?contractual powers?benchmarking?demand an exercise? Exercise what?
davidkayeWDCM2006 30
Special applications
succession planningbomb threat - special needskidnap and ransommajor fraud and crimeproduct recallmedia attackother
davidkayeWDCM2006 31
The media
take a problem and turn it into a disaster“News is something someone doesn’t want to see in print. All the rest is advertising”scale and the scrumrapid flow of eventsmedia companies own agenda
davidkayeWDCM2006 32
Too low a profile?
“You want to be famous for five minutes? All you have to do is go out and shoot someone – or better still two or three people on successive days” – and watch the hysteria spread like wildfire in CNN, Fox news, NBC, CBS, ABC, BBC, Sky and all the local stations, turning an event of tragic but limited circumstances into an all consuming national and international emergency” Martin Bell
davidkayeWDCM2006 33
Benchmarking
regulatory and advisory standards– FSA; Singapore, SOX, Basel 11, Turnbull etc.
the BCI DRII Good practice guidesInstitute of Risk Management Qualification other benchmarking standardsaccess to industry standardsexternal observers
davidkayeWDCM2006 34
21st century Continuity manager
Risk decisions into the board rooma business, not a facilities, matterstrategic decision making in all crucial areassurvival bang for buck is best from effective risk managementonly then;emergency response structure and resources
davidkayeWDCM2006 35
Summary
understand the risksunderstand the potential damagemake decisions around acceptability of riskmanage out unacceptable exposuressee clearly the unmanageable onesobtain decisions and act on theminformation and tools for the continuity planensure trust in the process
davidkayeWDCM2006 36
Time up!David Kaye
FCII FBCI FRSA MIRM
Springfields, Down HatherleyGloucestershire
GL2 9PY(0)1452 730117
Top Related