The 13th Annual Continuity Insights Management Conference

Transcription

1 The 13th Annual Continuity Insights Management Conference Presented by: Continuity Insights What Enterprise-Wide Business Continuity Really Means Communicating the value of BC to management and embedding it into the corporate culture April 20-22, 2015 Talking Stick Resort Scottsdale, AZ April 20, 2015 In preparing for battle I have always found that plans are useless, but planning is indispensable. Dwight D. Eisenhower Agenda Background Program Elements What Makes it Enterprise-wide Recommended Strategies Established in 1896, Preferred Mutual Insurance Company is headquartered in New Berlin, New York Provides property and casualty insurance coverage to individual and business customers through a network of independent agents throughout the Northeast Rated "A" for excellent through A.M. Best Please visit us at questions to dave.prosser@preferredmutual.com 3 4 1

2 Where To Begin??? Let s See What the Industry Has To Say What do we do? Business Business Continuity: An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services. (NFPA 1600) Catastrophe Crisis Disaster Emergency Incident Risk Technology (IT) Contingency Continuity Disruption Interruption Recovery Resilience Management Planning Preparedness Program Readiness The strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level. (DRJ) Business Continuity Management: Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and valuecreating activities. (ISO 22301) The process that organizations use to ensure business continuity is maintained across their organization. (DRJ) Business Continuity Program: Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management. (ISO 22301) 5 6 More Industry Terminologies Encompassing the Enterprise Business Continuity Management Program: Ongoing management and governance process supported by top management and appropriately resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products and services through training, exercising, maintenance and review. (BCI) Disaster Recovery The technical aspect of business continuity. The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services. Disaster recovery includes subsequent resumption and restoration of those operations at a more permanent site. (DRJ) Disaster/Emergency Management: An ongoing process to prevent, mitigate, prepare for, respond to, maintain continuity during, and recover from an incident that threatens life, property, operations, or the environment. (NFPA 1600) A program that implements the mission, vision, strategic goals, objectives and management framework of the program and organization. (BCI) Enterprise-wide: Encompassing an entire organization, rather than a single business department or function. (FFIEC IT Examination Handbook, Business Continuity Planning, Appendix B: Glossary) Enterprise Risk Management (ERM): ERM includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. (BCI and Wikipedia) (Keep in mind, this has only been a sampling of terms ) 7 8 2

3 1 st Step Pick the Broadest Starting Point Going Forward: Use Known References and Leverage Industry Best-Practices Business Continuity Management (BCM): Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience 1 with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. (ISO 22301) 1 Resilience: (1) the ability to become strong, healthy, or successful again after something bad happens (2) the ability of something to return to its original shape after it has been pulled, stretched, pressed, bent, etc. (Merriam-Webster.com) The adaptive capacity of an organization in a complex and changing environment. (ASIS) Editor s Note: (a) Resilience is the ability of an organization to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event. (b) Resilience is the capability of a system to maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must. (ASIS) DRI International (DRII) Professional Practices Business Continuity Institute (BCI) Good Practices Guidelines Regulatory Agency Frameworks, Directives and Documentation (ISO, NFPA, SEC, FFIEC, HIPAA, etc.) Industry Publications, White Papers and Recognized Conference Materials (e.g. Continuity Insights) Reputable and Trusted Experts, Consultants, Business Partners 9 10 Enterprise-wide is Thought-Shifting Requires Dept Heads becoming Plan Owners From This BC Plan Ownership To This BC Plan Ownership Incident Response (& Mgmt) Executive CIRT Team Liaison Critical Infrastructure/Support Human Corp Comm Resources BCM Comm Direct Customer-facing Areas IT Operations Site Services BCM (You) Your Organization Your Organization BCM (You) Customer Claims Service Field Agency Marketing QA & Agency Interface Commercial Lines Personal Lines SBS Project Development IT Enterprise Applications General Counsel Facilitation/Expertise Facilitation/Expertise Financial Operations Internal Audit Gov t Affairs Actuarial Finance & Risk Mgmt Other Depts/BU s

4 3/27/2015 Enterprise-wide is also Approach-Shifting Enterprise-wide (-based vs Scenario-based plans) ① BU s Identify Resource Requirements ② Then common dept tasks ③ And then broad scenarios PROCESSES Dept/BU Leadership Checklist - Account for Employees - Determine Critical Staffing needs - Report Status - Determine escalation/activation - (etc., etc.) Tasks Equipment Supplies Tasks Teams Suppliers Providers / Procedures Com. Devices Vital Records Employees Agents Customers Policyholders Applications / Software PROCESSES Dept BC Plan Applications / Software Bridges Gaps Overlay with Company Strategic Responses Inclement Weather / Regional Disaster Tasks Employees Technology Outage Agents Customers Policyholders Pandemic (Workforce Red) Ensure the correct level of IT DR, given the ultra-low Applications / Software Equipment Supplies Teams tolerance for latency world in which we operate today Suppliers Providers / Procedures Focus/Highlight BIA and Business Prioritization Supplies Tasks Teams Building Outage PROCESSES Equipment Com. Suppliers Devices the business has the correct IT DR expectations Providers / Ensure Vital Address Work Area Recovery/Continuity Employees Com. Devices Procedures Vital Records Records Keep Management involved and continuously updated Agents Customers Policyholders Our Enterprise-Wide BCM Model Requires Enterprise-Wide Incident Coordination CEO Strategic Oversight - SVP s Incident Commander (IC) Person In-Charge Named at T.O.D. Facilitation by BCM (Design and Guidance) Co-back-ups - VP s and Sr Directors Strategy Executive Liaison Team Business Continuity Committee Company/Infrastructure Readiness Site Services Infrastructure Co-Lead SS Back-up #1 Back-up #2 IT Operations Infrastructure Co-Lead Personal Lines P & I Co-Lead Customer Service P & I Co-Lead Corp Communications Logistics Co-Lead Human Resources Logistics Co-Lead IT Ent Applications IT Back-up #1 Claims P&I Back-up #1 QA & Agency Interface P&I Back-up #2 Corp Comm CC Back-up #1 HR HR Back-up #1 Financial Operations Finance Back-up #1 Gov t Affairs Corp Comm CC Back-up #2 HR HR Back-up #2 Actuarial Finance Back-up #2 IT Disaster Recovery IT Back-up #2 SBS Project Dev Field Agency Marketing (Design and Guidance) Gen Counsel Commercial Lines Finance & Risk Mgt Finance Lead Internal Audit Legend: = Command = Infrastructure = Logistics = Planning & Intelligence = Finance (Making Ready) (Should there be a need ) Employee Preparedness, Policies and Communications Facilities Preparedness, Mitigation, Emergency Response and Security IT Preparedness, Mitigation and IT Disaster Recovery Department Business Continuity Plans Plan Design and Development Training and Exercises Each Department is responsible for its own BC Plan and Readiness (Making Ready) Incident Response (& Mgmt) CIRT (Corporate Incident Response Team) comprised of key stakeholders Centralized management of all incidents including Catastrophes Escalates/Communicates with Executive Leadership, as necessary (Should there be a need ) Response Protocols for each Satellite Office

5 Enterprise BCM Program Component Terms/Definitions Enterprise BCM Program Component Expectations Business Continuity Management (BCM): Holistic management process provides a framework Incident Response (our CIRT): may include evacuation of a facility performing measures necessary to bring an organization to a more stable status BCM Committee: Collaborative Oversight and Readiness; Promotes good organizational habits BCM Program Office: Provides BCM leadership, framework, development, expertise and support services BCM/Risk Owners : Sign annual attestation; their designated Liaisons perform the work in advance Facilities/HR Emergency Preparedness/Response: The capability to respond to an emergency to prevent the loss of life and minimize injury and property damage IT Disaster Recovery (DR): The technical aspect of business continuity infrastructure, telecommunications, systems, applications and data BCM/Facilities/HR/IT/BU s Work Area Recovery: The component that deals specifically with relocation of personnel workspace complete with necessary office infrastructure. BU s Business Continuity Plan (BCP): procedures to respond, recover, resume and restore to ensure the continuity of critical business functions Corporate Incident Response Team (CIRT): Management team responsible to lead and manage response to any circumstance (incident, crisis, catastrophe/disaster and alike) Emergency Preparedness/Response: Facilitates 1 st response to emergencies: evacuation, shelter in-place, lockdown and alike. Further direction/support from CIRT. MERT for medical emergencies IT Disaster Recovery (DR): Warm site data center in Rochester; replicates data and used for fail-over Work Area Recovery: Initially Work from Home; complimented by Agility Recovery to provide 144 seats ; includes equipment and connectivity to our networks via office space, mobile units, generators and satellites Business Continuity Plans (BCP s): Department protocols to help manage from incident occurrence, to and through the point of continuing critical department processes; includes IT DR Work Area Recovery Then Communicate BCM in Common Sense Recommended Management Strategies 1. Start a BCM Committee Business Continuity is the advanced planning and preparation for things that can happen and then being ready to respond when things do happen What does that really mean? (Hint: You won t find it in a binder, or on a software tool ) It s in the Planning, not the Plans BCM is an embedded organizational culture that promotes continuous planning, preparation and making the business ready to respond We understand people come first, but doing our jobs become priority once safety is addressed Which means, every employee has a role in business continuity Every employee must be fully prepared at work and at home, including their families Dept Heads from: Facilities, IT, Corporate Communications, HR and Key Customer-facing BU s Use Risk-based (ERM) / Best Practices approach, and establish that BCM is a Show-Stopper 2. Establish an Incident Response and Management Team (both Members/Protocols) 3. Leverage like-minded efforts that are already established. Use BCM Committee to consolidate and update (possibly agree for BCM to take the lead on integration/improvement) 4. Gain Senior Management approval for a 2- to 4-step design/re-design and deployment strategy Begin 1 st step ASAP! 5. Provide regular updates and recommendations to Senior (C-level) Executive Management 6. Leverage Corp Comm to socialize BCM to entire company as much as possible Be Creative!!!

6 Recommended Employee Strategies When can we communicate that we have achieved Enterprise-Wide Business Continuity? 1. Highly promote that all employees prepare themselves and their families: Develop an Awareness Campaign Lots of help out there! e.g. Red Cross: Get a Kit. Make a Plan. Be Informed. ( Download local alert apps for weather and other emergencies (In NY, 2. Highly encourage supervisors/subordinates exchange critical contact information 3. Everyone has a role, is expected to do something during an incident even if just a phone call Know where to go and what to do, even if it s home. (If you don t know, ask) We understand that family comes first. Give management the courtesy of knowing your situation and strive to make yourself available. (This is our place of both customer commitment and employment) Business Continuity Committee Confluence and Oversight BCM Program Office Facilitation and Expertise Each Department Head is a BCM Plan Owner Accountability & Ultimate Responsibility IT Depts (including DR) are included in this! Signs Attestation that BCP is Viable/Actionable, and that SVP s/employees are Informed/Trained Business Continuity Liaison Plan Owner-designated Single-Point-of-Contact Facilitates information-gathering and plan development (as well as data input and BCM activities) Incident Response & Management Protocols to Ensure a Defined Team is Organized/Ready [Note: Make it a goal this year or next, to report Residual Risk Tolerances to BOD Audit Committee] Enterprise-Wide Business Continuity It s in the Planning, not the Plans! Q & A Thank you, Dave Prosser, MBCP dave.prosser@preferredmutual.com 23 6