Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
www.pwc.com
Understanding your
BCM maturity through
benchmarking
March 2016
Scott Hughes
PwC
Agenda
Benchmarking Business Continuity
1 Does it matter?
2 Internal Benchmarking
3 External Benchmarking
4 Q&A
2
Does it matter?
PwC
Why benchmark BCM maturity?
1. Transparency with consent
2. Internal and external benchmarking
3. Continual improvemen...
PwC
Trends
5
Rising expectations
Board interest in measurement
Evolving standards,
regulation and
governance
Are we over o...
PwC
Evolving standards
• ISO 22301 (BCM)
- Replaced BS2599 and became the de-facto
international standard
• ISO 27031 (IT ...
Internal
Benchmarking
PwC
Benchmarking internally
• Internal Audit
• Review (i.e. 2nd line of defence)
• BCM Programme (reporting to steering co...
PwC
Maturing BCM - model
9
Optimised
Characteristics
BCM is integrated
within overall risk
management
approach, and is
emb...
PwC
Different levels of extrapolation
Organisation1
Region2
Country3
Site4
BusinessUnit
The PwC tool can be used to extrap...
PwC
What are we seeing?
11
Poor quality plans
Difficult to use, out of date, built to ‘tick
the box’ without thinking it t...
External
Benchmarking
Are we resilient?
Business Continuity
Crisis Management
Risk Management
Physical Security
Cyber & Information Security
Can...
PwC Operational Resilience Benchmark
14
Operational
resilience
evaluation can be
integrated to
provide a more
complete pic...
PwC
Business Sectors
• Aerospace and defence
• Automotive
• Banking and Capital Markets
• Chemical, Oil and Gas
• Communic...
PwC
Business Continuity Management
16
PwC
Benefits of benchmarking
• Identifies gaps and exposures in controls.
• Aligns BCM maturity across business units,
div...
Questions to take
away
PwC
Questions we should ask
19
Do all departments, business units, territories have
the appropriate capability for BCM?
Ar...
Any questions?
Scott Hughes
Senior Manager, Enterprise Risk and
Resilience
+44 (0)7730 146239
scott.hughes@uk.pwc.com
http...
Thinking Enterprise Resilience
This publication has been prepared for general guidance on matters of interest only, and do...
Upcoming SlideShare
Loading in …5
×

Understanding your BCM maturity through benchmarking

1,945 views

Published on

This presentation was delivered at a BCI North Midlands forum meeting in March 2016.

Published in: Business
  • Be the first to comment

Understanding your BCM maturity through benchmarking

  1. 1. www.pwc.com Understanding your BCM maturity through benchmarking March 2016 Scott Hughes
  2. 2. PwC Agenda Benchmarking Business Continuity 1 Does it matter? 2 Internal Benchmarking 3 External Benchmarking 4 Q&A 2
  3. 3. Does it matter?
  4. 4. PwC Why benchmark BCM maturity? 1. Transparency with consent 2. Internal and external benchmarking 3. Continual improvement 4. Who benchmarks within their own organisation or with other organisations to improve their own BCM or other disciplines? 5. What are the benefits and output? 4
  5. 5. PwC Trends 5 Rising expectations Board interest in measurement Evolving standards, regulation and governance Are we over or under investing? The rise of resilience Complex organisations
  6. 6. PwC Evolving standards • ISO 22301 (BCM) - Replaced BS2599 and became the de-facto international standard • ISO 27031 (IT Disaster recovery) • ISO 27001 (Information Security) • BS11200 (Crisis Management) - Recently replaced PAS200 • BS 65000 (Guidance on organisational resilience) • Coming soon…. 6
  7. 7. Internal Benchmarking
  8. 8. PwC Benchmarking internally • Internal Audit • Review (i.e. 2nd line of defence) • BCM Programme (reporting to steering committee) • Board / NEDs • Known issues and challenges • Listed companies • Commercial drivers (i.e. due diligence) 8
  9. 9. PwC Maturing BCM - model 9 Optimised Characteristics BCM is integrated within overall risk management approach, and is embedded within the corporate governance processes. Ability to respond Investment in BCM and Risk is optimised, and the organisation has sustained capability to respond to major threats. Characteristics Analysis has been done across the organisational silos taking into account supply and value chain dependencies and risks. Integrated Ability to respond Key business priorities understood, and organisation can implement a strategic response across sites and supply chain to disruptions. Characteristics Business Continuity is integrated with incident and crisis management and emergency response. The BCMS is embedded in the organisation with regular exercising. Established Ability to respond Response capabilities are optimised at a site level and their ability to recover operations is reasonably certain and efficient. Characteristics BCM policy is set, and business continuity plans developed for key sites and facilities. Informal Ability to respond Key sites and facilities can respond to major incidents and they should be able to reduce the disruption to their operations. Characteristics Piecemeal and ad hoc plans, usually driven by a need to comply with legislation or regulation. Undeveloped Ability to respond Minimum legal / regulatory requirements are met but the ability to respond is patchy and uncertain.
  10. 10. PwC Different levels of extrapolation Organisation1 Region2 Country3 Site4 BusinessUnit The PwC tool can be used to extrapolate different data from across any organisation, such as by whole organisation, region, country or site, or by slicing across the company to analyse the maturity of a single business unit. 10 Example outputs from Benchmarking Tool
  11. 11. PwC What are we seeing? 11 Poor quality plans Difficult to use, out of date, built to ‘tick the box’ without thinking it through Overkill Over-the-top analysis, costing too much, taking too much time, and hard to sustain A lack of embedding Investment thrown away because plans are built and then resources taken away Lack of testing No exercises in safe environment to validate plans Lack of involvement of senior management
  12. 12. External Benchmarking
  13. 13. Are we resilient? Business Continuity Crisis Management Risk Management Physical Security Cyber & Information Security Can these functional leaders assure the CEO that, together, they can, do or should provide the total resilience capacity for the organisation? Emergency Management
  14. 14. PwC Operational Resilience Benchmark 14 Operational resilience evaluation can be integrated to provide a more complete picture of resilience
  15. 15. PwC Business Sectors • Aerospace and defence • Automotive • Banking and Capital Markets • Chemical, Oil and Gas • Communications • Energy, Utilities and Mining • Engineering and Construction • Entertainment and Media • Financial Services • Government and public services • Healthcare • Hospitality and Leisure • Manufacturing • Insurance • Retail and Consumer • Technology • Transportation and logistics 15
  16. 16. PwC Business Continuity Management 16
  17. 17. PwC Benefits of benchmarking • Identifies gaps and exposures in controls. • Aligns BCM maturity across business units, divisions and territories • Direction of investment – where an organisation is potentially over/under investing • Benchmarking against aspirations and against the norms for the industry sector • Identification of trends • Insight on where you may be encountering issues Slide 17
  18. 18. Questions to take away
  19. 19. PwC Questions we should ask 19 Do all departments, business units, territories have the appropriate capability for BCM? Are we sure of capability? 1 How do we measure levels of capability across the organisation? Is the comparison right and fair? How do we measure maturity? 2 Are sensible choices being made on BCM? Can people explain how much is being spent and why? Are investment levels right? 3 Where are the gaps in the BCM programme? How can we fix any issues or challenges? Gaps and weaknesses? 4 Is BCM integrated with risk management and other resilience related disciplines? Do we have silo mentality? Are we joined up on resilience? 5
  20. 20. Any questions? Scott Hughes Senior Manager, Enterprise Risk and Resilience +44 (0)7730 146239 scott.hughes@uk.pwc.com https://www.pwc.co.uk/services/audit- assurance/operational-resilience- benchmark-tool.html
  21. 21. Thinking Enterprise Resilience This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2016 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. 120619-155237-MC-OS

×