Points of Discussion

Transcription

1 Business Continuity Planning Considerations for Business Process Offshoring Todd Litman, CBCP DRJ Spring World March 18, Points of Discussion Business Process Offshoring Benefits & Risks Business Continuity Impacts +/- Threat & Risk Assessment Methodology Risk Mitigation/Management 2

2 Business Process Offshoring Offshoring is the practice of performing defined business processes and functions in a foreign country. What type of companies could use BPO strategies? Examples: Production Organizations Products Processes Almost any company! Technology Organizations Software Development Support Software Production Support 3 Benefits & Risks Benefits to an organization include Shareholder Value Processing Enhancements Competitive Advantage Risks to an organization include Operational Risks Reputational Risks Regulatory / Legal Risks What is the Total Economic Impact (TEI)? (Total Economic Impact = Total Cost of Ownership + Risk + Benefit) 4

3 Business Continuity Impacts +/- Requires Broader View Higher Visibility Process Diversification Event Management Documentation Differences Country Threat / Risk Monitoring Increased Ownership & Accountability What are some additional impacts on a BCM Program? While you can outsource the responsibility, you CANNOT outsource the accountability! 5 Threat & Risk Assessment Methodology Questionnaires Interviews Existing BCM Documentation Site Visits Existing Contracts Stakeholder Knowledge 6

4 Internal Focus Develop Contractual Requirements BC Planning Enhancements Ensuring for Process Resiliency BPO Process Heat Map Event Management Guide Scenario Exercises External Focus Vendor Management Program BCM Program Scorecard Synergy of BCM Programs 7 Develop Contractual Requirements Partner with Legal and Sourcing Review Existing Language Look to BCM Industry Documents for Guidance Ideas for Consideration: Quality Control Standards Security Standards (Information & Physical) Business Continuity Program» Evolving program of scope & maturity» Integration with BCM Program Business Interruption Insurance Audit / Regulatory Reporting 8

5 BC Planning Enhancements Validate BIA and Risk Assessment Are BPO threats identified, scored, etc? Does the BIA support the BPO partnership? Set standards for recording the relationship Process & Vendor information Identify interdependencies Enhance event management strategy» Tasks/actions (assign ownership)» Employees with job knowledge» Processes that can be put on hold 9 Ensuring for Process Resiliency What do you need to know about your offshore processes if an event were to happen? First Step: Develop a List of Processes Purpose: Event Management Guide Development Contents: RTOs Contacts Locations where the process is performed Critical deadlines etc 10

6 Ensuring for Process Resiliency Second Step: Develop a Process Heat Map Purpose: Compare Business Process Risk vs. Resiliency Process: Partner with Risk Specialists for Criteria Development» Establish framing questions» Set answers and assign values» Determine question weights and overall scoring ranges Interview Process Owners» Ask framing questions and record answers» Apply values to weighted formulas Insert Processes and Results into Heat Map» Identify process information» Document risk and resiliency levels 11 Ensuring for Process Resiliency Process Heat Map Criteria Examples Process Risk Level What is the process RTO? What is the financial impact after 5 work days? What is the customer impact? What is the operational impact? Process Resiliency Level What is the process absorption rate? How many processing locations? How many BPO companies performing process? BC Plan maturity level? 12

7 Ensuring for Process Resiliency Process Heat Map Scoring the Answers Risk Level Scoring Question Answer Value Weight Score % % % % 0.20 Totals 100% 2.30 Risk Levels High = Moderate = Low = Resiliency Level Scoring Question Answer Value Weight Score % % % 0.60 Totals 3.30 Resiliency Levels High = Moderate High = Moderate = Moderate Low = Low = Ensuring for Process Resiliency Process Resiliency Heat Map: LOB #1 Senior Manager: Last Updated: High 1 Process Risk Level Medium 1 Low 1 High Moderate High Moderate Moderate Low Low Process Resiliency Level Plan Name Plan Owner Product / Process Name Product / Process RTO Risk Level Resiliency Level Assessment Plan #1 Process A 24 Hours High Low Ineffective Plan #2 Process B 72 Hours Medium Moderate Low MinimallyEffective Plan #2 Process C 72 Hours Low Moderate High Optimized 14

8 Ensuring for Process Resiliency Minimally Effective 7% Process Resiliency Pie Chart Ineffective 7% Optimized 33% Period of Time Adequately Effective 20% Point In Time Effective 33% 10 Number of Processes Process Resiliency Timeline 0 Q Q Q Q Q Event Management Guide BPO event specific scenarios Latency issue Short term outage Long term outage Some things to include: Product/Process Information Assumptions, Responsibilities, Tasks, etc Contact Information (Internal & External) Product/Process Workflows Subject Matter Experts Product/Process Interdependencies 16

9 Scenario Exercises Planning Set Objectives Determine Invitees Select Scenario Executing Allow Breakout & Group Times Document Discussions & Questions Perform Training Enhancing Find Answers & Perform Follow-up Update Event Strategy Documents Publish Detailed Report & Begin Action Items Improved preparedness levels across the organization! 17 Vendor Management Program Policy & Procedures Program Framework Risk Review Exercise Strategies / Determine Gaps Program Lifecycle Enhance BC Plans / EM Guides Stakeholder Partnerships Contractual Obligations 18

10 Vendor Management Program Vendor BCM Program Scorecard Repeatable process Document maturity levels to support scope and sophistication of BCM capabilities Partner with Risk Division to develop criteria to apply across all reviews Develop scoring method to arrive at maturity score Determine type of documentation Establish various maturity levels for each document type 19 Vendor Management Program Business Continuity Management BPO Partner Review Scorecard Documentation To Be Reviewed Weighted Percentage Score (1 to 5) Weighted Score Review Notes Last Updated BCM Program Governance Documents BCM Policy 3% 0.00 BCM Framework / Roles & Responsibilities 9% 0.00 BCM Awareness & Training 3% 0.00 BCM Program Business Analysis Risk Assessment 10% 0.00 Business Impact Analysis 10% 0.00 BCM Program Business Continuity Planning BC Plan(s) 25% 0.00 BCM Program Disaster Recovery Planning DR Plan(s) 10% 0.00 BCM Program Event Management Planning Event Management Guide(s) 10% 0.00 Pandemic Plan / WorkforceLoss Plan 5% 0.00 BCM Program Exercise Results Business Continuity Exercises 9% 0.00 Disaster Recovery Exercises 3% 0.00 Facility Exercises 3% 0.00 BPO BCM Program Score

11 Vendor Management Program Documentation Being Reviewed Score Definition / Example Criteria Business Continuity Exercises Call tree exercises were completed within the last year. Scenario exercises completed within the last year. Relocation exercises completed within the last year. Shows continued maturity year over year. Call tree exercises were completed within the last year. Scenario exercises completed within the last 2 years. Relocation exercises completed within the last 2 years. Call tree exercises were completed within the last 2 years. Scenario or relocation exercises completed within the last 2 years. 2 Call tree exercises were completed within the last 2 years. 1 No business continuity exercises were completed within the last 2 years. Increase in Scope & Sophistication = Increase in Score 21 Vendor Management Program BPO BCM Program Score Definitions 4.50 to 5.00 = Mature BCM Program BPO BCM Program Review Combined Matrix 0 24 U U U A A 3.50 to 4.49 = Good BCM Program 2.50 to 3.49 = Fair BCM Program 1.50 to 2.49 = Poor BCM Program 1.00 to 1.49 = Inadequate BCM Program Service Expectations (RTO in Hours) U U A A A U A A A A A A A A A BPO BCM Program Score Does the vendor s BCM Program have enough scope & sophistication to meet your service expectations? 22

12 Synergy of BCM Programs Collaborate to assess current state of BCM Programs Continuous improvement agreement Develop event management guide for BPO partners Setting expectations for both parties Requirements before, during, and after an event Engaging your organization Establish scope, objectives and exercise schedule Integrated / Cross-organizational capabilities Types of exercise & frequency 23 Business Continuity Planning Considerations for Business Process Offshoring Todd Litman, CBCP Todd.Litman@53.com 24