0
Maintaining Operations in the Face of Unexpected Loss New Realities in Business Continuity  Management  William Pollock Sn...
General Overview - MRC <ul><li>Management Consulting Division of Marsh </li></ul><ul><li>Global Representation  </li></ul>...
BCM - A Viewpoint <ul><li>BEING PROPERLY PREPARED IS A COMPLEX SCIENCE </li></ul>
AN OPINION <ul><li>MURPHY’S LAW STILL EXISTS - BUT WE DON’T HAVE TO MAKE IT EASY FOR HIM </li></ul><ul><li>WE CAN NEVER CO...
BCM - What Does It Mean? <ul><li>DEFINITION: </li></ul><ul><ul><li>The development, maintenance and implementation of stra...
BCM – What are the Drivers? <ul><li>Legislation / Regulations / Statutes / Standards / Government Reports </li></ul><ul><u...
BCM - WHAT IS REALLY DIFFERENT <ul><li>COMMUNITY IS BECOMING INCREASINGLY MORE AWARE </li></ul><ul><li>EXPECTATIONS ARE HI...
BCM - why do it? <ul><li>General Findings: </li></ul><ul><ul><ul><li>43% of businesses experiencing major disasters never ...
<ul><li>Why is the Plan itself – so important? </li></ul><ul><ul><li>regulated requirement </li></ul></ul><ul><ul><li>spec...
Business Continuity Management <ul><li>How do we go about it? </li></ul>
BCM definitions: <ul><li>Emergency Response </li></ul><ul><li>Crisis Management </li></ul><ul><li>Crisis Communication Man...
What are  YOU  trying to do? <ul><li>Prevent the problem </li></ul><ul><li>Fix the problem </li></ul><ul><li>Manage Issues...
Business Continuity Management (BCM)  Marsh Integrated Approach Policy Crisis Management & Communication Recovery Strategi...
Recovery Options ACTIONS COMMUNICATIONS Recovery Priorities Recovery   Procedures Recovery Time Objectives Critical Busine...
BCM – A Development Perspective <ul><li>Some questions: </li></ul><ul><li>What is the actual composition of the  impacted ...
What happens when a key process is overloaded / disrupted?
BCM Development Some Practical Considerations – Think PROCESS !!!! <ul><li>Mission critical activity: </li></ul><ul><ul><l...
<ul><li>Coffee Break </li></ul>
<ul><li>The World Trade Center had two 110-story buildings, known as the &quot;Twin Towers&quot; and five smaller building...
 
Indicative  Incident Response <ul><li>Evacuation </li></ul><ul><li>Setting up an information centre, to register employees...
Merely Identifying Risks is Not Enough <ul><li>At Corporate level: </li></ul><ul><ul><ul><ul><li>many companies completed ...
Some BCM Findings-General Market <ul><ul><li>Processes </li></ul></ul><ul><ul><ul><li>Inability to locate key personnel - ...
Some BCM Lessons - General market <ul><li>Contingency Planning </li></ul><ul><ul><ul><li>detailed plans - less effective  ...
Some BCM Lessons-General Market <ul><li>Logistics </li></ul><ul><ul><ul><li>inadequate security for affected offices / com...
Some BCM Lessons-General Market <ul><li>Telecoms </li></ul><ul><ul><li>businesses may not be able to rely on telecom netwo...
Some BCM Lessons-General Market <ul><li>Reputation Management </li></ul><ul><ul><li>all actions in the gun-sight of the me...
Some BCM Lessons-General Market <ul><li>Risk Identification - outside “Comfort Zone” </li></ul><ul><ul><ul><li>if “likely”...
What Is Different <ul><li>Strategic Re-Assessment of BCM fundamentals </li></ul><ul><ul><ul><li>multiple and concurrent po...
References – post 9/11 <ul><li>Text sourced from “global continuity.com” </li></ul><ul><ul><li>incorporating findings from...
Upcoming SlideShare
Loading in...5
×

William Pollock Snr VP

350

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
350
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Identify your critical processes how quickly you need to recover them how you will go about the recovery what alternative approaches you can take EG. Payroll - alternative means of processing
  • ………… . The impact on other processes. As you see here, the impact on other processes could cause in an interruption to others. Remember that the solution of 38% of respondants was to work overtime in the event of a disruption. Just how long can you do that. Is the workforce prepared to do that ?
  • Evacuatie : Vanzelfsprekend is er een evacuatie signaal afgegeven, waarop de totale torens ontruimd moesten worden. Gelukkig is dit voor zover mogelijk ordelijk verlopen. Echter door de hitte en rook ontwikkeling was dit niet mogelijk voor de personen vanaf de 92 e.verdieping. De Marsh kantoren waren gevestigd 93 t/m de 100 e. verdieping. Het tijdstip van van de ramp (08.45) speelde een beetje in ons voordeel daar nog niet alle medewerkers aanwezig waren. Inventariseren van slachtoffers en gewonden : Het zal duidelijk zijn dat de computer uitdraai van het badge systeem niet beschikbaar was, dus moest langs 7 grote ziekenhuizen worden gegaan om vast te stellen wie van onze medewerkers aldaar geregistreerd stonden.Telecom call centers incl. E-mail en fax apparatuur werden ingericht voor informatie verstrekking richting belanghebbende. Verder werden getuigen verklaringen nauwkeurig geregistreerd en gecontroleerd bij de familie. Eerste opvang van medewerkers : Al snel bleek dat medewerkers met name behoeften hadden om met eigen collega’s te praten over hun ervaringen. Hiervoor werden speciale ruimten voor ingericht. Opstart systemen: Het verlies van data is gelukkig tot een minimum beperkt dit doordat de back-up systemen goed hebben gewerkt. En kon worden opgestart op onze overige locaties in Amerika. Uiteraard gaf dit de nodige capaciteitproblemen maar over het algemeen is er 1 dag aan informatie verlogen gegaan.
  • Recommendations 1 Modular plans offer greater flexibility to changing dynamics
  • Recommendations 1 Modular plans offer greater flexibility to changing dynamics
  • Recommendations 1 Modular plans offer greater flexibility to changing dynamics
  • Recommendations 1 Modular plans offer greater flexibility to changing dynamics
  • Transcript of "William Pollock Snr VP "

    1. 1. Maintaining Operations in the Face of Unexpected Loss New Realities in Business Continuity Management William Pollock Snr VP & National Manager MRC-Risk Services Melbourne
    2. 2. General Overview - MRC <ul><li>Management Consulting Division of Marsh </li></ul><ul><li>Global Representation </li></ul><ul><li>Principal focus - To provide risk solutions to clients </li></ul><ul><li>Multiple portfolios / services / operating synergies </li></ul>
    3. 3. BCM - A Viewpoint <ul><li>BEING PROPERLY PREPARED IS A COMPLEX SCIENCE </li></ul>
    4. 4. AN OPINION <ul><li>MURPHY’S LAW STILL EXISTS - BUT WE DON’T HAVE TO MAKE IT EASY FOR HIM </li></ul><ul><li>WE CAN NEVER COVER ALL THE BASES ALL OF THE TIME - BUT GOOD BCM CAN KEEP YOU IN THE GAME </li></ul><ul><li>“ WINGING IT” </li></ul><ul><ul><ul><ul><li>IS FOR THE BIRDS - AND SHOULD BE AVOIDED OR BECOME AN ACTION OF LAST RESORT </li></ul></ul></ul></ul><ul><ul><ul><ul><li>IT USUALLY ONLY WORKS WELL : </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>IN THE MOVIES OR </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>IF YOU ARE ALL GOING IN THE SAME DIRECTION AND READING THE SAME SCRIPT - (ie GOOD BCM) </li></ul></ul></ul></ul></ul>
    5. 5. BCM - What Does It Mean? <ul><li>DEFINITION: </li></ul><ul><ul><li>The development, maintenance and implementation of strategies; plans and actions to ensure the continued availability of critical business processes and services </li></ul></ul><ul><li>It includes: </li></ul><ul><ul><li>pre-empting the impact of an incident / crisis </li></ul></ul><ul><ul><li>responding to the incident / crisis </li></ul></ul><ul><ul><li>implementing contingency / continuity plans </li></ul></ul><ul><ul><li>stabilising / recovering critical functions </li></ul></ul><ul><ul><li>resuming / restoring normal operations </li></ul></ul>
    6. 6. BCM – What are the Drivers? <ul><li>Legislation / Regulations / Statutes / Standards / Government Reports </li></ul><ul><ul><li>ASX Corporate Governance guidelines, </li></ul></ul><ul><ul><li>CLERP 9 </li></ul></ul><ul><ul><li>APRA - Australia (GPS 222) </li></ul></ul><ul><ul><li>Sarbanes Oxley in the USA, </li></ul></ul><ul><ul><li>Australian Standards Handbook HB 221 - Business Continuity Management </li></ul></ul><ul><li>Precedents / Royal Commissions / Senate Inquiries / Parliamentary Inquiries </li></ul><ul><li>Increasing Litigation / Speed of Communication / Investigation / Observations </li></ul><ul><li>Customer, employee, stakeholder and supplier expectations </li></ul>
    7. 7. BCM - WHAT IS REALLY DIFFERENT <ul><li>COMMUNITY IS BECOMING INCREASINGLY MORE AWARE </li></ul><ul><li>EXPECTATIONS ARE HIGHER </li></ul><ul><li>LEVELS OF TOLERANCE ARE DECREASING </li></ul><ul><li>ENVIRONMENT IS BECOMING INCREASINGLY MORE COMPLEX** </li></ul><ul><li>PERCEPTIONS CAN “CAUSE DAMAGE” </li></ul><ul><li>RULE OF PRECEDENT </li></ul>
    8. 8. BCM - why do it? <ul><li>General Findings: </li></ul><ul><ul><ul><li>43% of businesses experiencing major disasters never re-open </li></ul></ul></ul><ul><ul><ul><li>29% close within three years </li></ul></ul></ul><ul><ul><ul><li>< 50% of organisations have business recovery plans and at least 90% never test the plans </li></ul></ul></ul><ul><ul><ul><li>75% of businesses are UNABLE TO FUNCTION without IT support within 14 days </li></ul></ul></ul><ul><ul><ul><li>“ recovery time” is invariably underestimated </li></ul></ul></ul><ul><ul><ul><li>“ costs” of recovery not always recovered by BI </li></ul></ul></ul>
    9. 9. <ul><li>Why is the Plan itself – so important? </li></ul><ul><ul><li>regulated requirement </li></ul></ul><ul><ul><li>specific response capability vs risk profile vs time </li></ul></ul><ul><ul><li>optimisation of response & recovery strategy </li></ul></ul><ul><ul><li>pre-determined allocation of resources / equipment </li></ul></ul><ul><ul><li>focussed preparation / implementation / training </li></ul></ul><ul><ul><li>enables assessment of specific capabilities and preparedness against known risk / incident type </li></ul></ul>Business Continuity Plan
    10. 10. Business Continuity Management <ul><li>How do we go about it? </li></ul>
    11. 11. BCM definitions: <ul><li>Emergency Response </li></ul><ul><li>Crisis Management </li></ul><ul><li>Crisis Communication Management </li></ul><ul><li>Business Continuity Plan </li></ul><ul><li>Disaster Recovery Plan (DRP) </li></ul><ul><li>Business Continuity Management </li></ul>
    12. 12. What are YOU trying to do? <ul><li>Prevent the problem </li></ul><ul><li>Fix the problem </li></ul><ul><li>Manage Issues & Implications </li></ul><ul><li>Recover and Continue from the event </li></ul><ul><li>Protect the Enterprise </li></ul><ul><li>Act diligently </li></ul>
    13. 13. Business Continuity Management (BCM) Marsh Integrated Approach Policy Crisis Management & Communication Recovery Strategies Training/ Awareness BIA / Risk Assessment Emergency Response Enterprise Value
    14. 14. Recovery Options ACTIONS COMMUNICATIONS Recovery Priorities Recovery Procedures Recovery Time Objectives Critical Business Processes Plan development - Step by Step Process ALTERNATIVE OPTIONS (RECOVERY RESOURCES) BUSINESS OPERATIONS
    15. 15. BCM – A Development Perspective <ul><li>Some questions: </li></ul><ul><li>What is the actual composition of the impacted activities? </li></ul><ul><li>What are the critical elements / processes / areas of dependency associated with the impacted activities? </li></ul><ul><li>Where are the bottlenecks and / or key points of failure associated with the impacted activities? </li></ul><ul><li>Where does your office / function / organisation sit within the “greater” network </li></ul><ul><li>Are there any factors or 3rd party disturbances - outside your control - which could directly / indirectly affect the recovery efficiency of the impacted activity? </li></ul><ul><ul><ul><li>What are the precedents? How can you minimise impact on recovery? </li></ul></ul></ul><ul><ul><ul><li>How do you retain control? </li></ul></ul></ul><ul><li>What level of pain are you prepared to carry before it detrimentally affects the objectives of the business function and its subsequent recovery ? </li></ul>
    16. 16. What happens when a key process is overloaded / disrupted?
    17. 17. BCM Development Some Practical Considerations – Think PROCESS !!!! <ul><li>Mission critical activity: </li></ul><ul><ul><li>Financial and non-financial impacts </li></ul></ul><ul><ul><li>Recovery Time Objective (RTO) & Recovery Point Objective (RPO) </li></ul></ul><ul><ul><li>Critical processes / inter- dependencies identified & prioritised </li></ul></ul><ul><ul><li>Minimum level of resources identified - phased over time </li></ul></ul><ul><ul><li>Key people / teams identified; trained; notified; activated; tasked </li></ul></ul><ul><ul><li>Business recovery – linked to – IT system recovery / Hot Site !!!!! </li></ul></ul><ul><ul><li>Key documents backed up & stored off site </li></ul></ul><ul><ul><li>Expectations of Key stakeholders </li></ul></ul><ul><ul><li>Constraints under which the mission critical activities need to operate </li></ul></ul><ul><ul><li>Recovery priorities & acceptable levels of redundancy identified & confirmed </li></ul></ul><ul><ul><li>Audit; review, train and test </li></ul></ul><ul><ul><li>not an exhaustive or prescriptive list </li></ul></ul>
    18. 18. <ul><li>Coffee Break </li></ul>
    19. 19. <ul><li>The World Trade Center had two 110-story buildings, known as the &quot;Twin Towers&quot; and five smaller buildings. • Tower One was 414 meters tall. </li></ul><ul><li>Tower Two was 412 meters. • Built of aluminum and steel. • The foundation of each tower extended more than 70 feet below ground, resting on solid bedrock. • Each tower consisted of 104 passenger elevators and 21,800 windows. • About 50,000 people worked in the complex, which housed the offices of more than 430 businesses </li></ul>
    20. 21. Indicative Incident Response <ul><li>Evacuation </li></ul><ul><li>Setting up an information centre, to register employees and make an inventory of missing or wounded people </li></ul><ul><li>Care for employees; families and victims; community </li></ul><ul><li>Setting up communication and IT networks </li></ul><ul><li>Creating alternative office space </li></ul><ul><li>Managing / Recovering day to day business </li></ul><ul><li>Security </li></ul><ul><ul><li>not an exhaustive list </li></ul></ul>
    21. 22. Merely Identifying Risks is Not Enough <ul><li>At Corporate level: </li></ul><ul><ul><ul><ul><li>many companies completed a risk assessment report to Turnbull or other Corporate Governance requirements - went no further or “believed” controls “in place” were adequate </li></ul></ul></ul></ul><ul><li>Insurance was obviously vital for the businesses affected but it was evident that insurance was not enough to ensure continued operation. </li></ul><ul><li>Risk Control is only the starting point - a waste of time unless meaningful follow-up action is taken </li></ul>
    22. 23. Some BCM Findings-General Market <ul><ul><li>Processes </li></ul></ul><ul><ul><ul><li>Inability to locate key personnel - after evacuation </li></ul></ul></ul><ul><ul><ul><li>poor security at secondary site </li></ul></ul></ul><ul><ul><ul><li>ill-defined secondary / alternate site transition </li></ul></ul></ul><ul><ul><ul><li>Inability to move to alternative locations with minimal disruptions to ongoing business </li></ul></ul></ul><ul><ul><ul><li>Inability to execute critical business functions in a timely manner </li></ul></ul></ul><ul><ul><ul><li>undefined alternatives in “supply chain” </li></ul></ul></ul>
    23. 24. Some BCM Lessons - General market <ul><li>Contingency Planning </li></ul><ul><ul><ul><li>detailed plans - less effective </li></ul></ul></ul><ul><ul><ul><li>logistical errors - common </li></ul></ul></ul><ul><ul><ul><li>inadequate data recovery </li></ul></ul></ul><ul><ul><ul><li>optimistic scenario planning </li></ul></ul></ul><ul><li>People </li></ul><ul><ul><li>plans assumed impact on premises / functions </li></ul></ul><ul><ul><li>BUT people skills / intellectual knowledge / resources still available . </li></ul></ul><ul><ul><ul><li>People / intellectual property can and were lost </li></ul></ul></ul><ul><ul><ul><li>Trauma needed to be managed </li></ul></ul></ul><ul><ul><ul><li>Ability to handle stress and trauma is not always directly associated with seniority </li></ul></ul></ul>
    24. 25. Some BCM Lessons-General Market <ul><li>Logistics </li></ul><ul><ul><ul><li>inadequate security for affected offices / companies </li></ul></ul></ul><ul><ul><ul><li>relocation of large numbers of traumatised people and / or support teams involved in recovery </li></ul></ul></ul><ul><ul><ul><li>impact of loss of personnel; services and logistics associated with relocation </li></ul></ul></ul><ul><li>Crisis Management </li></ul><ul><ul><ul><li>Confusion </li></ul></ul></ul><ul><ul><ul><li>Secondary EOC - “outside” exclusion zone </li></ul></ul></ul><ul><ul><ul><li>logistics - impaired efficiency / speed of EOC set-up / </li></ul></ul></ul><ul><ul><ul><li>wide area issues need to be considered </li></ul></ul></ul>
    25. 26. Some BCM Lessons-General Market <ul><li>Telecoms </li></ul><ul><ul><li>businesses may not be able to rely on telecom networks in the event of a major emergency </li></ul></ul><ul><ul><li>Examples: </li></ul></ul><ul><ul><ul><li>need to check for “choke points’ </li></ul></ul></ul><ul><ul><ul><li>internet reliant firms saw websites down for days </li></ul></ul></ul><ul><ul><ul><li>other firms experienced massive surge on internet utilisation causing servers / routers to overload </li></ul></ul></ul>
    26. 27. Some BCM Lessons-General Market <ul><li>Reputation Management </li></ul><ul><ul><li>all actions in the gun-sight of the media - during and post incident </li></ul></ul><ul><ul><ul><li>stakeholder management issues not always clearly defined; differentiated or managed appropriately </li></ul></ul></ul><ul><ul><ul><li>public expectations need to be taken into account </li></ul></ul></ul><ul><ul><ul><li>corporate reputation; brand management </li></ul></ul></ul><ul><ul><ul><li>moral issues are paramount eg: </li></ul></ul></ul><ul><ul><ul><ul><li>compensation / medical / general insurance benefits / severance </li></ul></ul></ul></ul><ul><ul><ul><ul><li>trauma counselling / NOK </li></ul></ul></ul></ul><ul><ul><li>Comparisons are inevitable - No Rules - unless international precedents considered </li></ul></ul>
    27. 28. Some BCM Lessons-General Market <ul><li>Risk Identification - outside “Comfort Zone” </li></ul><ul><ul><ul><li>if “likely” look for “global precedents & parallels </li></ul></ul></ul><ul><ul><ul><li>do not be blinkered by “corporate / personal history” </li></ul></ul></ul><ul><ul><ul><li>do not avoid the “apparently insolvable” - there is usually a precedent </li></ul></ul></ul><ul><ul><ul><li>always debate the acceptance of risk and the associated recovery strategy - they do change with time </li></ul></ul></ul>
    28. 29. What Is Different <ul><li>Strategic Re-Assessment of BCM fundamentals </li></ul><ul><ul><ul><li>multiple and concurrent points of failure in critical systems </li></ul></ul></ul><ul><ul><ul><li>increased awareness of integration of “knowledge” and systems </li></ul></ul></ul><ul><ul><ul><li>human element + logistics vs technology </li></ul></ul></ul><ul><ul><ul><li>geographical impacts (local-regional-global) </li></ul></ul></ul><ul><ul><ul><li>supply chains / fish-bones </li></ul></ul></ul><ul><ul><ul><li>redundancies vs interdependencies </li></ul></ul></ul><ul><ul><ul><li>cross - industry impacts </li></ul></ul></ul><ul><ul><ul><li>increased regulatory scrutiny </li></ul></ul></ul>
    29. 30. References – post 9/11 <ul><li>Text sourced from “global continuity.com” </li></ul><ul><ul><li>incorporating findings from McKinsey; Gartner; Dataquest; </li></ul></ul><ul><li>Marsh </li></ul><ul><li>PWC </li></ul><ul><li>Financial Review </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×