January 2013

Beyond the first 48 hours:
Can your business continuity
plan go the distance?
•	 Hurricane Sandy ...
Superstorm as cautionary tale
Rebuilding stronger and smarter
With complexity comes
Almost by definition, di...
Planning for the worst, and beyond
A roadmap back to normal

•	 Identifies and prioritizes cr...
Strong program management
and internal audit functions
are central to effective business
continuity management—the
former ...
It can take more than five years to create
a business continuity program that
management can trust to significantly reduce...
Continuity, not just survival
A call to action
Hurricane Sandy was a clear wake-up call to
business that monsters still wa...
Upcoming SlideShare
Loading in...5

Beyond the first 48 hours: Can your business continuity plan go the distance?


Published on

Hurricane Sandy and other recent disasters exposed the gaps and weaknesses in many businesses' crisis-management plans. A comprehensive continuity program can give you the foresight to change "What do we do now?" into "Here's what we'll do, how we'll do it—and who we'll rely on to do it." More info: http://www.pwc.com/us/en/risk-assurance-services/publications/business-continuity-management.jhtml

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Beyond the first 48 hours: Can your business continuity plan go the distance?

  1. 1. January 2013 Beyond the first 48 hours: Can your business continuity plan go the distance? Highlights • Hurricane Sandy and other recent disasters exposed gaps and weaknesses in many businesses’ crisis management plans. • Rather than just seeing companies through the impact phase of a crisis, an effective business continuity management program creates a roadmap to take them all the way back to business as usual. • Business continuity management takes a holistic view of the enterprise, identifying and prioritizing critical functions, the people and systems that make those functions work, the stakeholders of those functions, and every variable that could affect a return to operational strength. • A clear, concise and tested business continuity management program adds value both during a crisis and during normal operations, providing communication protocols to customers, regulators, and other stakeholders regarding your company’s controls environment. When Superstorm Sandy hit the US eastern seaboard in October 2012, it was a stark reminder of how easily our interconnected world can become disconnected, leaving companies literally in the dark. A good crisis management plan will get you through the initial impacts of a major event, but in order to effectively address large-scale disasters and their aftermath, today’s complex organizations need a comprehensive business continuity management program. A well-designed program will see your company through the crisis to the restoration of operations and the preservation of your brand. Business continuity management provides the foresight that changes “What do we do now?” into “Here’s what we do, here’s how we do it, and here’s the team we can rely on to get it done.” Keep calm and carry on Business continuity management is a comprehensive program that helps a company react quickly and effectively when faced with unplanned interruptions, anticipating and mitigating the revenue loss, reputation, compliance, and expense management impacts of a crisis. An ongoing process, it includes identification of natural and manmade events with the potential to disrupt business activities, preparation for those events (and prevention of them, where possible), mitigation of their effects to achieve operational recovery, and post-execution analysis to promote greater resilience during future events. Business continuity management is much more than crisis management. During Hurricane Sandy and other recent catastrophes, established and tested emergency response and crisis management plans helped companies through the first 48 hours, providing command and control structures that addressed the immediate needs of safeguarding company employees, property, and critical data — essentially, carrying everything to a metaphorical high ground as the floodwaters rose. For many companies, though, that wasn’t enough. In the days following the event, those companies found that inadequate planning scope or failure (or nonexistence) of testing had left significant gaps in their preparedness for a fractured operating landscape, leading to a significantly slowed recovery process.
  2. 2. Superstorm as cautionary tale Rebuilding stronger and smarter With complexity comes vulnerability Almost by definition, disasters create disarray, and the more moving parts in a system, the greater the capacity for chaos. During Hurricane Sandy, for instance, failures of communications systems, power grids, transportation networks, and companies’ own continuity preparations combined to fray connections between organizations and their vendors, suppliers, customers, and even their own employees, producing a perfect storm of business interruption. In the aftermath, many companies were unable to even get the lights back on, much less roar back to full operational strength. Pre-coordination with local emergency management was lacking, leading to bad planning assumptions that hindered business recovery and continuity efforts. Most companies assumed that their employees would be able to work from home following a disaster that impacted their corporate offices, but this assumption proved unfounded for several reasons. In New York, many companies failed to inform employees on Friday that they should take their laptops home in case the storm caused an extended office closure. When the city shut down subway and bus services on Sunday night, 24 hours before the storm made landfall, many employees were unable to reach their offices to retrieve computers and data. Once the storm hit, those who had their computers at home were unable to use them due to power and Internet outages. Those who had electricity lacked consistent connectivity to access files and applications. All of these factors fundamentally nullified most companies’ disaster mitigation strategies. Other factors further complicated companies’ response: • During and after the storm, the extent of damage and the difficulties of living without vital services forced employees to focus on the safety and needs of themselves, their families, and their homes, making them unavailable to return to work as quickly as needed. The lack of identified alternate personnel at many companies delayed the restoration of business services. • In the storm’s immediate aftermath, flooding at telecommunications hubs resulted in loss of Internet and land-line 2 phone services to lower Manhattan and other areas. Over the long term, massive damage to telephone wiring, computers, and control rooms in the flood zone significantly delayed the reopening of many offices. • Some companies had dutifully backed up their critical information away from their primary data centers, but were still affected because the off-site locations also fell within the storm’s impact zone. • High reliance on third parties (e.g., outsourced business processes, logistical support, communication vendors) added complexity to companies’ efforts to come back online. Some technology providers, for example, were unable to restore IT services within agreed-upon timeframes because their operations had also been affected by the storm. The closure of roads, bridges, and tunnels meant some providers were unable to replenish the fuel for their emergency generators, resulting in service shutdowns. • With rumors racing through social media about damage, flooding, and outages at various organizations, companies that had not integrated a social media plan into their emergency communications program were unable to get control of messaging about the condition of their operations. This created even greater confusion among their employees, customers, and other stakeholders. • Supply chains and deliveries were disrupted as the storm flooded warehouses, shut down shipping terminals, closed roads and other arteries, and caused gasoline shortages. • Container ships bound for New York and New Jersey ports found themselves rerouted to ports such as Norfolk, Virginia, causing customers to quickly scramble for alternate intermodal transport services to avoid losing business due to delays in receipt of materials and products. During a crisis event and its aftermath, other normally efficient business models such as shared services can backfire, leaving key internal support services concentrated within the impact zone and causing interruptions at units far afield. Plans to transfer business services to alternate locations may also fail PwC Beyond the first 48 hours: Can your business continuity plan go the distance? due to lack of adequate preparation and testing. Meanwhile, during the recovery phase, competing interests can hamper company efforts. Key customers and regulators, for example, may expect that recovery efforts give priority to processes that support their needs, even though those efforts may not align with priorities needed to ensure overall organizational health. Not meeting those stakeholders’ needs, however, can jeopardize long-term relationships. Navigating the new reality of crisis Hurricanes Sandy and Katrina, the 2011 Japanese tsunami and nuclear disaster, 2010’s Pakistani floods and the eruption of Iceland’s Eyjafjallajökull volcano — these and other recent climate and geological events represent what a 2011 UK report described as “the beginnings of a new kind of future in which mega-disasters are going to be more frequent.”1 On the biological front, the combination of increasing population urbanization, borderless world travel, and the emergence of antibiotic-resistant superbugs holds the potential for pandemic disease outbreaks. At the same time, human nature and the advance of technology combine to increase the possibility of devastating manmade crises — from cyber-attacks taking out data or infrastructure to terrorists launching large-scale acts of destruction. The panoply of risk in today’s global operating environment is such that having a risk-resilient design and solid crisis response capabilities is no longer enough. In addition, the bestprepared companies are arming themselves with a complete, validated, and coordinated business continuity management process that covers the full crisis lifecycle, from emergency response to crisis management to recovery. Having an informed business continuity playbook helps ensure that your organization is strong enough to absorb the first blows of a crisis, resilient enough to remain standing through the aftershocks, and properly organized to return critical processes to an acceptable, pre-defined functional level in the weeks and months that follow. 1 UK Department for International Development, Humanitarian Emergency Response Review (March 2011), http://www.dfid.gov.uk/Documents/ publications1/HERR.pdf.
  3. 3. Planning for the worst, and beyond A roadmap back to normal Institutionalizing readiness • Identifies and prioritizes critical functions, based on an impact analysis. drills, and audits to review the viability of plans against varying crisis scenarios. A good business continuity plan takes a holistic view of the enterprise, identifying the critical aspects of the business, the moving parts that contribute to their functioning (people, systems, data, networks, suppliers, facilities), the full range of stakeholders affecting and affected by that functioning (personnel, customers, regulators, etc.), and the internal and external potentialities that could affect a return to operational strength (transportation, power, and communications infrastructure, human behavior, etc.). Effective planning: • Sets recovery time objectives for the restart of the organization’s various systems, based on overall organizational needs and an evaluation of how long critical functions can remain offline. • Establishes workarounds to return critical functions to operation when deprived of their usual support structures. Planning must follow a consistent process, irrespective of geographies or silos, in order to promote smooth synchronization in the event of a crisis. To assure such a process, a strong program management function is central to the BCM planning effort, organizing and providing a structure for the effort and helping to manage tasks, activities, and dependencies across all functional areas. A project management office helps capture and organize the information needed for the analysis phase of a business continuity management project. Program management is also critical during crisis events, able to bring established, turnkey processes online immediately to support the recovery operation. • Establishes a governance and program management structure aligning your crisis and business continuity management objectives and defining authorities, roles, and responsibilities (including decision-making and communication structures). • Defines the parameters of the company’s duty of care during a crisis: whether (and to what extent) it extends its responsibility beyond employees to include contractors, guests, employees’ families, etc. For the planning process to succeed, organizations must enjoy energetic buy-in and support at the C-suite and board level, be ready to devote sufficient funding to support a continuity plan scaled to need, and be prepared to conduct tabletop tests, The elements of business continuity management Business continuity management is a robust program that helps companies react quickly to unplanned interruptions, incorporating processes to identify, prevent, and prepare for events that have the potential to disrupt business activities. Under the umbrella structure of crisis management, three disciplines are designed to see your business, your people, and your data through the impact and aftershocks of a crisis event and steer it back toward business as usual. Once there, reporting can help reassure stakeholders that you’re ready for the next time. Crisis management: Provides command and control during an operational disruption. Crisis management includes incident identification, evaluation, escalation, declaration, and plan activation and deactivation. Internal and external communication is a key component. Emergency response IT disaster recovery Business continuity Facilitates and organizes employer and employee actions during workplace emergencies. These involve life safety procedures to protect the well-being of personnel and visitors. During an event lasting more than 24 hours, actions taken during the emergency response will directly impact IT disaster recovery and business continuity activities. Addresses the restoration of business system software, hardware, IT infrastructure services, and data. Provides interim IT services that support the crisis management response. Addresses the recovery and continuity of critical business functions required to maintain an acceptable level of operation during an incident. Facilitates the restoration of critical business functions to pre-crisis effectiveness. Post-crisis reporting: Companies can utilize SOC 2/3 attestation reports to describe to customers and other stakeholders the controls in place that help reduce the impact of interruptions to the organization’s availability. PwC Beyond the first 48 hours: Can your business continuity plan go the distance? 3
  4. 4. Strong program management and internal audit functions are central to effective business continuity management—the former to act as a logistical engine to manage the effort (in both the planning phase and in reacting to crisis events), the latter to bring an enterprise view to analysis and solutions design and a rigorous approach to validating and monitoring policies, procedures, and people. The analysis phase consists of conducting a business impact analysis and a risk analysis, creating impact scenarios, then examining the aggregate organizational view provided. The business impact analysis functions as the cornerstone of your business continuity planning effort, assessing and prioritizing your business functions and processes, identifying the potential impact of disruptions, identifying all legal and regulatory requirements, and determining the maximum tolerable period of disruption for each critical function and the maximum acceptable data loss. A risk analysis identifies risks (fire, flood, sabotage, epidemic, technical failure, etc.) that could impact key functions, quantifies the probability of those risks actualizing and their likely resultant damages, assesses the vulnerability of specific company assets to those risks, and evaluates the controls that are or could be put in place to reduce the impact of risk events. The results of the risk analysis are then used to create impact scenarios that describe how risk events could affect business abilities and functions. Typically, these scenarios are scaled up to involve worst-case events, on the presumption that solutions developed for, say, a thousand-mile-wide Atlantic superstorm would more than suffice for a bad nor’easter. The results of the business impact analysis, risk analysis, and impact scenarios together allow the organization to map and prioritize its vulnerabilities against the various probability-ranked risks and begin crafting the solutions that will form its business continuity plan: creation of a crisis management command and control structure, identification of secondary work sites, establishment of communications and IT architecture and requirements for secondary sites, etc. In examining risks and vulnerabilities, involvement of internal audit is a best practice, bringing a cross-functional enterprise view to the proceedings and adding value throughout the business continuity planning process. On the front end, internal audit’s unique access to the C-suite and audit committee can help build awareness of business continuity issues, including by layering business continuity into annual risk assessments. Internal audit can also work with procurement to proactively validate key vendors’ and suppliers’ business continuity preparation and resiliency. During plan development, internal audit can help set the scope of the impact analysis and identify gaps in processes and controls both within company functions and within the supply chain, helping avert the “weak link” syndrome that could stall the overall recovery process and jeopardize the organization’s survival. During solutions testing, internal audit can provide risk-based insight to support tabletop exercises designed to stress and uncover vulnerabilities in the various phases of emergency response and recovery — from a phase-one test that assembles the crisis management team and initiates communications to a full “day in the life” exercise that tests your solutions’ ability to relocate services, move work among locations, access backup data systems, switch to alternate suppliers, and so on. Business continuity exercise maturity model High Narrow Scope of exercise Wide Full-interruption/ full-scale exercise Complexity/effort of continuity exercise Functional drill/ parallel exercise Tabletop exercise/ structured walk-through exercise Low Low 4 Walk-through drill/ simulation exercise Confidence in business continuity program effectiveness PwC Beyond the first 48 hours: Can your business continuity plan go the distance? High
  5. 5. It can take more than five years to create a business continuity program that management can trust to significantly reduce the impact of major crisis events. The journey begins by enlisting a full-time resource to coordinate the beginning efforts of assessing interruption risks and identifying critical business processes. Involving business continuity specialists at this juncture shortens the learning curve necessary to create effective business continuity plans, as specialists will bring with them proven industry and operational insight into what works. The result will be tested, easily assessable, streamlined, and always relevant continuity plans maintained and owned by the relevant critical process owners. Broadcasting success Preparedness is the first step in response, but response is the critical test of preparedness. Once a company that provides critical services or products has gone through a crisis event, senior management will want to assess the impact of the event on the company’s operations and controls, and provide assurance to customers, regulators, and other stakeholders regarding how its systems control environment is positioned to react to future events. Several reporting options are available to companies that wish to provide a controls attestation to interested parties, covering topics such as periodic tests of their disaster recovery program and controls over availability of systems, safeguarding of information, and business resumption. As a first step, companies should undergo a diagnostic process to help them determine the readiness of their control design and the robustness of documentation to withstand an audit. The diagnostic should include a gap analysis to determine whether controls need to be added or modified in order to satisfy stakeholder expectations. Once this has been accomplished and the organization is satisfied with the adequacy of its control design and operating effectiveness, it can engage a CPA firm to conduct an examination using the AICPA’s attestation standards. An engagement that is conducted under this standard will result in a Service Organization Control (SOC) report. SOC 1 reports, which focus on controls over financial reporting, have little relevance for disaster recovery and business continuity, so companies usually look to other types of attestations, such as SOC 2 and SOC 3 reports. These reports are designed to address criteria relevant to data security, availability, processing integrity, confidentiality, and system/information privacy, collectively known as the AICPA Trust Services Principles. SOC 2 and SOC 3 reports can be issued on one or multiple Trust Services Principles, and can help organizations meet stakeholders’ desire for increased transparency into these operations and compliance functions. Other report options are also available beyond the more widely known SOC reports. Relevance is the key factor for companies contemplating completion of an attestation report around their business continuity management activities. In other words, the report criteria must match the topics that are important to the company’s customers. The best way to determine this is to speak with customers’ risk managers or internal audit executives. • SOC 2 reports: SOC 2 reports contain an opinion on the fairness of management’s description of the service organization’s systems and the suitability of the design of its controls to meet the applicable Trust Services criteria. These reports may include any of the Trust Services Principles previously discussed, as well as other information tailored to a company’s customer base. The flexibility with which this report may be distributed to a company’s customers is based on how specific the criteria are to a given customer: The more specifically tailored to a single client, the more restrictive the ability to distribute the report. Companies that use more general or established criteria in the report may distribute the report to a wider audience. • SOC 3 reports: The key difference between SOC 2 and SOC 3 reports is that SOC 3 is a general-use report that provides only the auditor’s report on whether a system meets the Trust Services criteria. It does not contain details of the auditor’s tests of controls, the results of those tests, or the auditor’s opinion regarding management’s description of its systems. Because this report uses established criteria and is not specific to a particular customer, companies can distribute it widely, including posting it on their corporate website. PwC Beyond the first 48 hours: Can your business continuity plan go the distance? 5
  6. 6. Continuity, not just survival A call to action Hurricane Sandy was a clear wake-up call to business that monsters still walk the earth: catastrophes, natural and manmade, with the potential to far outstrip the capacities of traditional crisis management plans. To meet these increased threats with symmetrically increased resources, organizations should begin objectively assessing their overall business continuity management program to determine whether it’s armed with the right tools to reduce crisis events’ impacts to revenue, reputation, regulatory compliance, and expense management. An effective business continuity management program: How PwC can help • Encompasses emergency response, crisis management, IT disaster recovery, and business continuity. Neil Kaufman Director PwC 646 471 7976 neil.kaufman@us.pwc.com • Focuses on the recovery of critical business processes, prioritized according to their importance to the organization’s overall functionality. • Employs a standards-based approach to assure uniform and consistent planning, implementation, and upgrade of business continuity policies and procedures across the organization. • Uses specialists who’ve created and assessed hundreds of business continuity programs and can provide out-of-the-box solutions across the planning process, from analysis to reporting. To have a deeper discussion of how these subjects might affect your company or board, please contact: Dean Simone US Risk Assurance Services Leader PwC 267 330 2070 dean.c.simone@us.pwc.com Ken Coy Governance, Risk & Compliance Leader PwC 313 394 3246 ken.coy@us.pwc.com Scott Metro Financial Services Third Party Assurance Leader PwC 646 471 6596 scott.metro@us.pwc.com Phil Samson Business Continuity Management Leader PwC 214 754 7269 phil.samson@us.pwc.com David Tilk IT & Project Assurance Principal PwC 216 875 3349 david.tilk@us.pwc.com © 2013 PricewaterhouseCoopers. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. NY-13-0388