Business Continuity Management (BCM) Chicagoland Safety Conference October 24, 2013

Transcription

1 Business Continuity Management (BCM) Chicagoland Safety Conference October 24, 2013 Carey A. Loukides, CBCP, ARM, MBCI Senior Consultant, Global Risk Consulting Enterprise Risk Management, Business Continuity Management Joseph C. Urban, EMT-P, ASC North America Regional Manager, EHS & BCP

2 Agenda What is Business Continuity Management (BCM)? Why Develop a Business Continuity Management Program? Business Continuity Management Components and Incident Timeline Case Study Exercise Simulation Key Takeaways/ Lessons Learned Roadmap to Create Your Own BCP 2

3 What is Business Continuity Management (BCM)? A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and valuecreating activities. (from ISO 22301:2012) 3

4 Why Develop a Business Continuity Management (BCM) Program? Incident or interruption in the past 12 months that cause the activation of BCM plan(s). Source: Continuity Insights and KPMG Benchmark Study 4

5 Why Develop a BCM Program Additional Highlights Source: Supply Chain Resilience Study 2010 by The Business Continuity Institute. 5

6 BCM Components & Incident Timeline 0 ~1 Hour ~1 Hour 3+ Days ~3+ Days 4+ Weeks INCIDENT TIMELINE Emergency Management / Response Crisis Management Business Restoration and Operational Recovery Communications Evacuate, Stabilize & Assesses Recognize & Respond to Incident Ensure Personnel Safety Stabilize Incident Conduct Damage Assessment Coordinate with Authorities Perform Initial Communications Manage the Incident Provide Leadership Coordinate Activities Control Actions Make Decisions Perform Internal/ External Communications Restore & Recover the following: Critical Processes Essential People Technology Equipment Information Technology Infrastructure 3rd Party Providers 6

7 BCM Planning Process Steps Program Management Business Continuity Strategies Emergency Management and Response Risk Evaluation, Control and Remediation Crisis Management & Communications Business Impact Analysis Business Restoration and Operational Recovery Plan Audit, Awareness and Training, Maintenance and Testing 7

8 Program Management Developing a strong planning foundation Develop BCM policies and procedures Develop accountability controls and program parameters Identify steering committee, project liaison, departments/ functional area representatives participating in BCM planning Develop Timeframe, scheduling and project launch Conduct Gap analysis and benchmarking of existing plans 8

9 Business Impact Analysis Understand the mission critical processes and determine the sequence of recovering processes and services Update/identify resources necessary to support recovery of: Critical equipment, IT applications, systems, data, Infrastructure requirements, Technology equipment and potential work-arounds, Key people, Critical vendors/ suppliers Identify financial, legal/regulatory, operational, customer service and reputation and image impacts where possible Determine Recovery Time Objective and Recovery Point Objective 9

10 Risk Evaluation, Control and Remediation Identify threats/risks and vulnerabilities Define, develop and implement information gathering activities across the entity to identify threats/risks and the entity s vulnerabilities (natural hazards, human-caused events & technologically caused events) Identify probabilities and impact of the threats/risks identified. Identify and evaluate the effectiveness of the current controls and safeguards in place. Identify business resiliency strategies to control, mitigate, accept or take advantage of the potential impact of the risk/threat or reduce the entity s vulnerabilities. SEVERITY Negligible Minor Moderate Severe Catastrophic Probability verses Severity table X X X X X X X X X X X X X X X X X Remote Unlikely Moderate Likely Certainty PROBABILITY 10

11 Emergency Management / Response Emergency management/response is the process of identifying and mitigating threats, responding and recovering from an emergency. Evaluate/develop EMT/ERT structure and training Identify threats and evaluate with responsible team Develop response criteria, tools and recognition of escalation potential Develop processes to stabilize incidents Develop communication process and protocols internal/external and local authorities Ensure proper response for and care of employees/visitors Conduct damage assessment, deescalation, initial communications and discussions with management 11

12 Crisis Management and Communications Crisis Management and Communications is the process of providing the leadership, decision-making, coordination / control and communications aspects to manage the incident / campaign. Develop team structure, including roles and responsibilities Determine team activation criteria Conduct threat assessment Develop incident trigger recognition Identify Emergency Operation Center (EOC) Learn how to manage the crisis campaign Utilize Status Boards Discuss decision-making and information availability Develop communications (building message boards) Learn how to de-activate the campaign 12

13 Business Restoration & Operational Recovery The plan guides the development of alternative business strategies to restore / recover business functions and Information Technology within the recovery time objective, while maintaining the organization s critical functions. Develop the strategic key actions, responsibilities and benchmarks for recovery, restoration and resiliency of human capital and operations Mitigate vulnerabilities affecting strategies Qualify end-user needs for systems and applications, equipment connectivity, information access, processes, etc. Develop resource requirement documentation as needed 13

14 Plan Audits, Awareness, Training, Maintenance and Testing Test program effectiveness and ensure future success Conduct a tabletop exercise at the conclusion of the plan development to test the effectiveness of the program. Provide an exercise evaluation report at the conclusion of the tabletop exercise. Incorporate lessons learned and recommendations for plan enhancement into the report. Evaluate the exercise against the following areas: Ability of the team s leadership Decision making capabilities Ability to evaluate incident triggers Ability to evaluate incident escalation Communications with team and stakeholders Ability to use the plan effectively Comprehensiveness of the plan Thoroughness of resources Outline an ongoing exercise and maintenance schedule once the plans are complete & published 14

15 CASE STUDY 15

16 BCP Project Planning Executive Leadership Meeting Meeting Objectives Illustrate the benefits of Business Continuity Planning (BCP) Approach Alignment Expected Outcomes Obtain leadership commitment to proposed plan, timeline and resource needs Approval for project kickoff Decision Points Project Team approval Timeline approval Resource Considerations Action Items/follow up/expectations of communication 16

17 Business Continuity The Business Continuity Process acts to mitigate the negative consequences of a disruptive event, and may also deliver business improvements. In plain language, a BCP is a plan designed to help sustain business operations in the event of a disaster. When something happens outside of the plan we have a Plan! Type Natural (Acts of Nature) Man-Made Technology/Infr astructure Failures Description Tornados, Hurricanes, Earthquakes, Floods, Winter Storms, Pandemic Flu Fire, Explosion, Hazardous Material Contamination, Terrorist Acts and Regional Tensions, Theft, Vandalism Wide-spread power outage, Water/Sewage System breakdown, Computer Processing Disruption, Virus Any event that could cause the potential for loss of business should be considered, including any event that the business is dependent on, such as loss of (source of) supply, loss of critical infrastructure (a major piece of machinery or computing/network resource). 17

18 Opportunities / Benefits of a BCP Opportunity Customer Supply Concerns Outcome Increased Customer Confidence Optimized Inventory Level Inventory Validation/Cash Management Adequate Insurance Coverage Appropriate Premiums/Coverage Preparedness/Risk Mgmt. SOX Compliance Tender Offers Prevention/Limit Impact Essential For IPO Competitive Advantage 18

19 Project Phases Business Continuity begins with planning and results in active continuity management. Plan Maintenance & Testing Business Continuity Planning Life Cycle Business Impact Analysis Develop & Test Business Continuity Strategies We intend to use a multi-phase approach which engages key business representatives (cross functional) in the development of the Business Continuity Plan. 19

20 Project Time Line Total Project Time: 18 months Jan-06 Q3 Feb -06 Q4 Apr -06Q1 May-06 Q2 Planning Research Determine Team Create Project Plan Business Impact Analysis Assessment of impact with $$ Disaster Preparedness Strategy Determine and Cost Continuity Strategies Develop and Validate Compile results Interdependencies Maintenance/Testing Plan exercise program Maintenance procedures 20

21 Proposed Project Team Structure Roles/Responsibilities Project Lead Executive Sponsor Project Business Representative Executive Sponsor/Steering Committee Provides guidance for objectives, and priorities Resolves issues Assist in procuring resources Communicate/update ELT Manufacturing/ Operations Environmental Health & Safety Human Resources Sales/Marketing/Bid Office Customer Service Communications Research & Development Supply Chain/Distribution Finance Information Technology Trade Compliance/Legal Quality/Regulatory Project Lead Project direction & oversight Coordinate project objectives Drives overall deliverables Project Business Representative (PBR) Act as an area subject matter expert Responsible for internal process identification Facilitate knowledge and information transfer for BCP Participate in project phases Cross-Functional Team 21

22 Proposed Project Team Executive Sponsor Project Lead Joe Urban External Resource? (AON) Department Project Business Representative Department Project Business Representative Bid Office Operations Customer Service Clinical Communications Finance Quality Regulatory Human Resources Information Technology Legal/ Trade Compliance Research & Development Sales/ Marketing Suppliers Supply Chain 22

23 Next Steps Decision Points Confirm Team Members Identify the right people Representatives from each business area with appropriate support from all levels Anticipated 4 hours per work week but will vary Determine Project Timeline (Plan will require maintenance) Solely Internal Resources Full External Resources Blend 18 months 10 months 14 months Understand SLT Communication Expectations Dates Milestones Budget Planning Ongoing maintenance and updates Action Items Communicate Plan Project Kick off Request from Executive Sponsor to PBR s 23

24 BCP Capital Expense Request Use of internal resources with external expertise Estimated total external resource cost : $$$ Benefits: Efficiency Reduced internal resource time (approx. 40%) Proven methodology Eliminates need for software purchase Reduced project timeline (approx. 20%) Deliverables: Internal BCP document External (customer facing) BCP document that references testing of plan 24

25 Business Impact Analysis Face to face meetings with PBR s to understand function: What do they do (routine and non-routine tasks) How do they do it (IT systems, equipment, EE skill set, vendors) Who they depend on (previous step in the process) Who depends on them (next step in the process) 25

26 Business Continuity Strategies Emergency Response/Management Workshop session Review current procedures, develop flow chart Crisis Management/Communications Workshop session Assign roles by skillset, prewritten draft statements Operational Recovery Utilizing PBR s to gain knowledge of: What is necessary What recovery plans and procedures are in place What can be put into place to minimize impact of an event 26

27 Develop and Validate Develop strategies to respond and recover from an event. Must be practical Build upon something already in place Think outside the box Project business representatives to work within their function to validate procedures Gain input from larger audience Buy-in from employees that will perform the tasks 27

28 Testing & Maintenance Testing Table Top Exercise to include all personnel that would be part of a real event. Keep it realistic Do not expect perfection Maintenance Establish full Plan test expectations Individual functional area Joint functional areas 28

29 Exercise 29

30 Takeaways & Lessons Learned What makes an EHS professional right for the job? Understands the business processes Relationship with most employees Project management skills Consensus and team building Response experience to events Lessons learned Gain full and complete support from Executive Leadership Business focus changes External expertise is invaluable Keep up skills by attending workshops Not everything will be solved, at least document and track Benefits Business acumen EHS is tied to BCP Improve your professional skill set 30

31 Roadmap to Create BCP Establish the need for the business continuity program (ask what if questions) Executive sponsorship, support and funding Research and reference relevant business, legal, regulatory, statutory ad contractual requirements and restrictions Reference relevant standards, guidelines and best practices (see next slide) Assessment of current capabilities Build the organizational framework to develop the BCM program Clearly define and obtain resources needed for the BCM program Internal and external 31

32 Roadmap to Create BCP, continued Coordinate and manage the implementation of the BCM program Identify teams that will participate in the execution Develop project plans and identify tasks required Develop plan documentation Develop ongoing plan maintenance / testing activities Monitor and track performance Report to Senior Management on program status 32

33 Standards, Best Practices and Guidelines to Lead BCM Planning NFPA Standard on Disaster/Emergency Management and Business Continuity Programs, 2013 Edition ASIS SPC Organizational Resilience: Security, Preparedness and Continuity Management Systems ISO Society security Business Continuity management systems requirements Disaster Recovery Institute International (DRII)- Professional Practices for Business Continuity Practitioners, 2012 Business Continuity Institute (BCI)- Good Practice Guidelines, 2013 Edition 33

34 Thank You & Questions Carey A. Loukides, CBCP, ARM, MBCI Senior Consultant Aon Global Risk Consulting Enterprise Risk Management Business Continuity Planning 12 Chapel Lane, Unit#3 Merrimack, NH t: m: f: e: www. Aon.com Joseph C. Urban, EMT-P, ASC NA Regional Manager, EHS & BCP Rexam Healthcare 800 Corporate Grove Dr. Buffalo Grove, Il t: m: f: e: