Peter Poulos, profile picture
Uploaded byPeter Poulos
PDF, PPTX134 views

2005_SIA_BCP_Conf

This document summarizes business continuity risk assessment approaches from three major financial institutions: 1. Morgan Stanley prioritizes business risks into three categories based on the level of mitigation and response solutions in place. Risk analysis is performed at the regional and divisional levels. 2. Citigroup conducts a Threat and Vulnerability Assessment (TVA) to identify risks and their probabilities and impacts. A cross-functional team evaluates factors like security, facilities, technology, and human resources. 3. Credit Suisse First Boston (CSFB) prioritizes processes into three tiers based on their criticality. It considers both the business importance of locations and threats associated with them to weigh risks. CSF

Embed presentation

Download as PDF, PPTX
Greg Ferris – Executive Director, Morgan Stanley John Odermatt – Corporate Director, Citigroup Peter Poulos – Director, Credit Suisse First Boston (CSFB) Workshop: Lessons in Risk Assessment
2 Workshop Overview 1. Introductions 2. Business Continuity Risk Assessment – Firm Perspectives in Approach • Morgan Stanley • Citigroup • Credit Suisse First Boston (CSFB) 3. Questions & Answers
3 Business Continuity Risk Assessment – Firm Perspectives in Approach Morgan Stanley
4 Crit 2 Crit 1 Crit 2Crit 3 Life safety mitigation and response will be constant in all locations Prioritize business risks: Crit 1 – Mitigation and response solutions in place for all risks Crit 2 – Mitigation solutions in place for some risks. Response solutions in place for all. Crit 3 – No mitigation solutions in place. Response solutions in place for all. Analysis performed at the regional and divisional level Probability Impact The Macro View: Prioritizing Risk – Determining What Matters Most
5 Identifying Risks – Think about the events (natural and man made) that could interrupt the normal flow of operations and/or threaten the well being of employees – Don’t focus purely on disasters in the classic sense – Try to focus on the effect of the problem as opposed to it’s cause Assessing Risk – Assess the probability/impact of each risk statement – Provide a criticality ranking for each The Macro View: Cataloging and Assessing Risk
6 Probability Scoring 1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen) 2 33 to 65 percent chance of occurrence (likely to happen) 3 Less than 33 percent chance of occurrence (not likely to occur) Impact Scoring 1 Outage will result in inability to meet regulatory requirements and introduce excessive risk 2 Outage will not impede ability to meet regulatory requirements or excessive risk, but will impact client service functions 3 Outage will not affect critical functions and/or critical functions are easily failed over Getting Started: Assessing Probabilities and Impacts
7 Probability Scoring 1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen) 2 33 to 65 percent chance of occurrence (likely to happen) 3 Less than 33 percent chance of occurrence (not likely to occur) Impact Scoring 1 Outage will result in unacceptable risk to New Jersey’s citizens and/or assets 2 Outage will not result in unacceptable risk to New Jersey’s citizens and/or assets, but will impact continuity of government and/or the ability to communicate with all levels of government 3 Outage will not affect critical functions and/or critical functions are easily failed over The Macro View: Assessing Risk
8 Criticality Assessment 1 Probability Score 3 to 1 - Impact Score 1 2 Probability Score 2.5 to 1 - Impact Score 2 3 Probability Score 3 to 2.5 – Impact Score 2; Probability Score 3 to 1 – Impact Score 3 The Macro View: Prioritizing Risk
9 Business Continuity Risk Assessment – Firm Perspectives in Approach Citigroup
10 Sub-processes, Recovery Strategies & Requirements Sub-processes, Recovery Strategies & Requirements Threat & Vulnerability Assessment (TVA) BIA Business Impact Analysis TVA Threat & Vulnerability Assessment SRA Sector Risk Assessment SRA Sector Risk Assessment BIA Business Impact Analysis The purpose of the TVA is to: • Determine standard threat scenarios and planning constraints • Identify vulnerability, symbolic value, single point of failure, or concentration of resources • Composite Resilience Rating
11 Cross Functional Collaboration • Perimeter security • VIP security • Proximity to other known militant targets • Utility diversity • Fire suppression • Electrical grids • UPS and generators • Egress and risers • Dual paths • Data Center strategy • Concentration of Infrastructure • People Strategy • Single point of failure • Perimeter security • VIP security • Proximity to other known militant targets • Utility diversity • Fire suppression • Electrical grids • UPS and generators • Egress and risers • Dual paths • Data Center strategy • Concentration of Infrastructure • People Strategy • Single point of failure SecuritySecurity FacilitiesFacilities TechnologyTechnology HRHR • Physical security• Physical security • Physical plant resilience• Physical plant resilience • Infrastructure resilience• Infrastructure resilience • Personnel• Personnel Team Lead: Office of Business Continuity TVA Team Expertise Example Components
12 TVA: Threats For a Facility include … • Vulnerability – low, medium, or high • Symbolic Value as a Target – low, medium, or high • Single Points of Failure – resources that do not have redundancy at another Citigroup facility
13 TVA: Threats at a Facility (continued) Threats include: • Regional Blackout • Civil Unrest • Telecom Utility Interruptions • Epidemic • Hurricane • Flood • Earthquake • Bomb • Terrorist Event • Sabotage
14 TVA: Threat at a Facility (continued) • For each potential threat the worst- case scenario is considered: Outage duration range days, weeks, or months Radius impacted <30 miles or >30 miles (50 km) Loss probability low, medium, or high • Then a composite resilience rating is calculated by the team
15 TVA: Consistent Output (continued) Standard Threats, scenarios, and planning constraints Vulnerability, symbolic value, single point of failure, proximity, or concentration of resources Composite Resilience Rating Threats Outage Duration Range Radius Impacted Scope of Infrastructure Services Affected (Potential) Regional Blackout Days >30 miles Many Civil Unrest Days >30 miles Some Telco Interruption Days <30 miles Few Health Epidemic Weeks >30 miles Many Terrorist Event (multiple) Weeks >30 miles Many Sabotage of Facilities Weeks <30 miles Some Hurricane/ Typhoon Weeks >30 miles (Cat 4/5) Some Tornado Weeks-Mos >30 miles (F 4/5) Some Flood Weeks-Mos >30 miles Some Earthquake Weeks-Mos >30 miles (>6.0) Many Bio/chemical release Months <30 miles Many Dirty Bomb Months <30 miles Some
16 Business Continuity Risk Assessment – Firm Perspectives in Approach Credit Suisse First Boston (CSFB)
17 CSFB Business Continuity Prioritization of Processes / Products Tier 1 – Critical Process(es) and/or associated products which are required for the bank to survive or whose unavailability would cause irreparable damage to the bank. This includes all core technology infrastructure systems and facilities on which all applications and data are dependent to conduct these processes. (e.g., funding the bank and associated settlement risks, safeguarding firm and customer assets, manage market and credit risks, etc.) Tier 2 – Required Process(es) and/or associated products whose availability is mandated by either regulatory requirements, customer or market obligations and/or business priorities. Tier 3 – Less Critical Process(es) and/or associated products that either have a delayed recovery timeframe or for which recovery can be deferred.
18 Risk Weighting Criteria Used by CSFB CSFB takes into consideration two key factors by location in weighing business continuity risks. The first is the relative importance of a physical location from a business perspective and the second is the associated threat(s) at that location. Business Importance by Location 1. Financial Exposures a) Revenue Exposure or Opportunity Cost (foregone revenues due to inability to execute trades) b) Market Exposure or Value at Risk (capital loss on principal positions due to adverse market movements) c) Contractual and Reputation Exposure (costs of inability to perform contractual obligations and long- term impact of damaged customer franchise) 2. Presence of Business Functions/Processes and Products transacted 3. Presence of Technology Infrastructure supporting Business Functions/Processes and Products Threats Associated by Location 1. Environmental Risk a) Physical Threats (e.g., inclement weather, earthquakes, civil unrest, etc.) b) Municipal Utility Infrastructure (e.g, power, water) c) Telecommunications Infrastructure d) Transportation Infrastructure e) Health Care Infrastructure 2. Staff Concentration Risk 3. Technology Risk 4. Facility Risk
19 Business Continuity Impact Scenarios Assumed by CSFB Partial Loss Planning Time Horizon: Intraday (Up to start of next business day) Assumes no physical destruction of facilities or systems. Business unit staff would either wait for IT and/or facilities disruption to be remediated or invoke business continuity plans. Internal outages/failures; examples: partial power outage or hardware/software failure. Denial of Access Planning Time Horizon: Up to 3 days Assumes no physical destruction of facilities or systems. Business unit staff would need to evacuate or be denied access to their primary office space. Examples: Transit strike, inclement weather, bomb scare, gas leak, civil unrest. Total Loss Planning Time Horizon: Up to 1 month or longer * Assumes physical destruction of facilities, systems and/or people. Examples: Terrorist attack, earthquake, catastrophic fire, flood. Loss of Key External Interdependencies Planning Time Horizon: Variable dependent on whether impact to CSFB is a Partial Loss, Denial of Access or Total Loss Assumes interruption of service provided by Third Party Service Providers, Exchanges, Industry Utilities, Clearing Corporations, and/or Market Data Systems (e.g., pricing/news/market analysis information, communications, trade execution/deal capture, etc.). Also assumes interruption of services provided by CSFB. * If the event is a Total Loss of primary data center collocated with people, then impact duration starts on Day 1. However, if the event is a Denial of Access to a data center facility lasting more than 3 days, then it is considered a Total Loss event.
20 Business Recovery/Resiliency Strategy Options – Considerations for Risk Mitigation Impact Scenario Probability of Occurrence Business Recovery / Resiliency Strategy Option Estimated Recurring Cost Speed Of Recovery Difficulty of Recovery Split/Shared Production L H L Transference L H M Displacement Seating L M L Remote* L M M Manual Workarounds L M M Internal Recovery/ Contingency Seating – Dedicated Trading H M M Internal Recovery/ Contingency Seating – Dedicated Non-Trading H M M Internal Recovery/ Contingency Seating – Shared Non-Trading H M M Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H M M Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H Split/Shared Production L H L Transference L H M Displacement Seating L M L Remote* L M M Manual Workarounds L M M Internal Recovery/ Contingency Seating – Dedicated Trading H L H Internal Recovery/ Contingency Seating – Dedicated Non-Trading H L H Internal Recovery/ Contingency Seating – Shared Non-Trading H L H Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H L H Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H Split/Shared Production L H L Transference L H M Displacement Seating L M M Remote* L M M Manual Workarounds L M M Total Loss Low Relative Partial Loss High Denial of Access Medium Legend H = High M = Medium L = Low Remote* - Availability, functionality and capacity of key systems varies by business and by type of remote access
21 New York Downtown Campus Jersey City Site A Jersey City Site B Central NJ Office and Data Center Jersey City Site C Jersey City DR Data Center Current State New York Downtown Campus Proposed Interim State Proposed Future State BAU Assets BCP/ DR Assets Through the use of optimized traditional and alternative recovery and resiliency strategies, utilization of Business-As-Usual (BAU) firm assets (people, facilities and technology) increase while physical concentration risks are mitigated and DR-only overhead costs are reduced. Traditional Recovery – Dedicated or shared contingency seats (internally managed or third party) Alternative Recovery – Displacement, remote computing, transference, split production BAU Assets BCP/DR Assets Legend Jersey City Site A Jersey City Site B Southeastern US Office Jersey City DR Data Center Southeastern US Office and Data Center Asia New York Downtown Campus LondonAsia Midtown Office Midtown Office Northern NJ DR Data Center Northern NJ DR Data Center London Central NJ Office and Data Center Central NJ Office and Data Center London Business Continuity Risk Mitigating Strategies – Illustrative Optimization Over Time Jersey City Site A Midtown Office

More Related Content

PDF
Introduction to Business Continuity Management
byProf. David E. Alexander (UCL)
 
PDF
Contingency Planning Guide
byrlynes
 
PDF
IT Risk managment combined
byGlen Alleman
 
PPT
Business Contingency Planning
byahmad bassiouny
 
PDF
IIA Facilitated Risk Workshop
byErsoy AKSOY
 
PPTX
Crisis management and Disaster Recovery V21
byJorge Sebastiao
 
PDF
Coordinating Security Response and Crisis Management Planning
byCognizant
 
PPTX
Doug brown
byNASAPMC
 
Introduction to Business Continuity Management
byProf. David E. Alexander (UCL)
 
Contingency Planning Guide
byrlynes
 
IT Risk managment combined
byGlen Alleman
 
Business Contingency Planning
byahmad bassiouny
 
IIA Facilitated Risk Workshop
byErsoy AKSOY
 
Crisis management and Disaster Recovery V21
byJorge Sebastiao
 
Coordinating Security Response and Crisis Management Planning
byCognizant
 
Doug brown
byNASAPMC
 

What's hot

PPTX
Rolling out Business Continuity Planning (BCP) for Manufacturer Company
byBank Alfalah Limited
 
PPTX
S thomas sfield
byNASAPMC
 
PPTX
Risk and Business Continuity Management
byContinuity and Resilience
 
PDF
Improved Risk Analysis Through Failure Mode Classification According to Occur...
byRavish P.Y. Mehairjan
 
PDF
Srm
byTim Smith
 
PDF
Risk managment in aviation environment
byCristiane Freitas
 
PDF
Bt8901 objective oriented systems2
byTechglyphs
 
PPT
Irs intro unit 3 basic features usfs ip (2)
byneeraj verma
 
PDF
Understanding enterprise risk management and fair
byiaemedu
 
PPT
Topic 02 human and organizational factors in process industry
byBasitali Nevarekar
 
PDF
Mitigation Planning PowerPoint Presentation Slides
bySlideTeam
 
PDF
Incident managment plan
bySafwan Hashmi
 
PDF
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...
byA Makwana
 
PPT
Bcm Roadmap
bybtrmuray
 
PDF
Risk Management Plan Example
byTHE HANG SENG UNIVERSITY OF HONG KONG
 
PPT
Chapter 1 risk management (3)
byrafeeqameen
 
PDF
Risk Assessment Case Study
byPraveen Vackayil
 
PDF
The International Journal of Engineering and Science (The IJES)
bytheijes
 
PDF
Safety in design paper a live picture of organisational risk by linking risk...
byAlex Apostolou
 
PDF
Practical_Guide_for_Disaster_Avoidance
byJoe Soroka
 
Rolling out Business Continuity Planning (BCP) for Manufacturer Company
byBank Alfalah Limited
 
S thomas sfield
byNASAPMC
 
Risk and Business Continuity Management
byContinuity and Resilience
 
Improved Risk Analysis Through Failure Mode Classification According to Occur...
byRavish P.Y. Mehairjan
 
Srm
byTim Smith
 
Risk managment in aviation environment
byCristiane Freitas
 
Bt8901 objective oriented systems2
byTechglyphs
 
Irs intro unit 3 basic features usfs ip (2)
byneeraj verma
 
Understanding enterprise risk management and fair
byiaemedu
 
Topic 02 human and organizational factors in process industry
byBasitali Nevarekar
 
Mitigation Planning PowerPoint Presentation Slides
bySlideTeam
 
Incident managment plan
bySafwan Hashmi
 
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...
byA Makwana
 
Bcm Roadmap
bybtrmuray
 
Risk Management Plan Example
byTHE HANG SENG UNIVERSITY OF HONG KONG
 
Chapter 1 risk management (3)
byrafeeqameen
 
Risk Assessment Case Study
byPraveen Vackayil
 
The International Journal of Engineering and Science (The IJES)
bytheijes
 
Safety in design paper a live picture of organisational risk by linking risk...
byAlex Apostolou
 
Practical_Guide_for_Disaster_Avoidance
byJoe Soroka
 

Similar to 2005_SIA_BCP_Conf

PDF
Outsourcing
bykarlhennessy
 
PPTX
Risk Management / Information Security
byNicollai Kostadinov
 
PDF
How Financial Firms Blaze a Trail To New, More Predictive Operational Resilie...
byDana Gardner
 
PDF
2009_NYC_OpRiskUSA_Conf
byPeter Poulos
 
PDF
Risk Management - Business Continuity Planning and Management
byCody Shive
 
PDF
Business continuity planning guide
byCenapSerdarolu
 
PPTX
Business continuity planning guide
byAstalapulosListestos
 
PPTX
sdfdsfsfsdfsdfsdfsdfssefsdfsdfsdfwteesfgrtertwetetwewetwetwerwerewrdfsds
bysrizvi9
 
DOCX
contributed articlesm a r c h 2 0 1 0 v o l . 5 3 .docx
bydickonsondorris
 
DOCX
contributed articlesm a r c h 2 0 1 0 v o l . 5 3
byDioneWang844
 
PPTX
Risk mgmt key to security certifications v2
byJorge Sebastiao
 
PPTX
Cyber Essentials and BSI standards - managing the business risk
byJisc
 
PPTX
Identifying Your Agency's Vulnerabilities
byEmily2014
 
PPTX
Securing Fintech: Threats, Challenges & Best Practices
byUlf Mattsson
 
PPTX
Service Provider Oversight
byNICSA
 
PDF
How More Industries Can Cultivate A Culture of Operational Resilience
byDana Gardner
 
PPTX
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
byJohn D. Johnson
 
PDF
BC Awareness Workshop
byAmalfiCORE, LLC
 
DOCX
11152018 Strayer University Online Libraryhttpseds.b..docx
bydrennanmicah
 
DOCX
4 Questions only Question 6. I have answered part of the.docx
bytamicawaysmith
 
Outsourcing
bykarlhennessy
 
Risk Management / Information Security
byNicollai Kostadinov
 
How Financial Firms Blaze a Trail To New, More Predictive Operational Resilie...
byDana Gardner
 
2009_NYC_OpRiskUSA_Conf
byPeter Poulos
 
Risk Management - Business Continuity Planning and Management
byCody Shive
 
Business continuity planning guide
byCenapSerdarolu
 
Business continuity planning guide
byAstalapulosListestos
 
sdfdsfsfsdfsdfsdfsdfssefsdfsdfsdfwteesfgrtertwetetwewetwetwerwerewrdfsds
bysrizvi9
 
contributed articlesm a r c h 2 0 1 0 v o l . 5 3 .docx
bydickonsondorris
 
contributed articlesm a r c h 2 0 1 0 v o l . 5 3
byDioneWang844
 
Risk mgmt key to security certifications v2
byJorge Sebastiao
 
Cyber Essentials and BSI standards - managing the business risk
byJisc
 
Identifying Your Agency's Vulnerabilities
byEmily2014
 
Securing Fintech: Threats, Challenges & Best Practices
byUlf Mattsson
 
Service Provider Oversight
byNICSA
 
How More Industries Can Cultivate A Culture of Operational Resilience
byDana Gardner
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
byJohn D. Johnson
 
BC Awareness Workshop
byAmalfiCORE, LLC
 
11152018 Strayer University Online Libraryhttpseds.b..docx
bydrennanmicah
 
4 Questions only Question 6. I have answered part of the.docx
bytamicawaysmith
 

2005_SIA_BCP_Conf

  • 1.
    Greg Ferris –Executive Director, Morgan Stanley John Odermatt – Corporate Director, Citigroup Peter Poulos – Director, Credit Suisse First Boston (CSFB) Workshop: Lessons in Risk Assessment
  • 2.
    2 Workshop Overview 1. Introductions 2.Business Continuity Risk Assessment – Firm Perspectives in Approach • Morgan Stanley • Citigroup • Credit Suisse First Boston (CSFB) 3. Questions & Answers
  • 3.
    3 Business Continuity RiskAssessment – Firm Perspectives in Approach Morgan Stanley
  • 4.
    4 Crit 2 Crit1 Crit 2Crit 3 Life safety mitigation and response will be constant in all locations Prioritize business risks: Crit 1 – Mitigation and response solutions in place for all risks Crit 2 – Mitigation solutions in place for some risks. Response solutions in place for all. Crit 3 – No mitigation solutions in place. Response solutions in place for all. Analysis performed at the regional and divisional level Probability Impact The Macro View: Prioritizing Risk – Determining What Matters Most
  • 5.
    5 Identifying Risks – Thinkabout the events (natural and man made) that could interrupt the normal flow of operations and/or threaten the well being of employees – Don’t focus purely on disasters in the classic sense – Try to focus on the effect of the problem as opposed to it’s cause Assessing Risk – Assess the probability/impact of each risk statement – Provide a criticality ranking for each The Macro View: Cataloging and Assessing Risk
  • 6.
    6 Probability Scoring 1 Greaterthan 66 percent chance of occurrence (will happen or is very likely to happen) 2 33 to 65 percent chance of occurrence (likely to happen) 3 Less than 33 percent chance of occurrence (not likely to occur) Impact Scoring 1 Outage will result in inability to meet regulatory requirements and introduce excessive risk 2 Outage will not impede ability to meet regulatory requirements or excessive risk, but will impact client service functions 3 Outage will not affect critical functions and/or critical functions are easily failed over Getting Started: Assessing Probabilities and Impacts
  • 7.
    7 Probability Scoring 1 Greaterthan 66 percent chance of occurrence (will happen or is very likely to happen) 2 33 to 65 percent chance of occurrence (likely to happen) 3 Less than 33 percent chance of occurrence (not likely to occur) Impact Scoring 1 Outage will result in unacceptable risk to New Jersey’s citizens and/or assets 2 Outage will not result in unacceptable risk to New Jersey’s citizens and/or assets, but will impact continuity of government and/or the ability to communicate with all levels of government 3 Outage will not affect critical functions and/or critical functions are easily failed over The Macro View: Assessing Risk
  • 8.
    8 Criticality Assessment 1 ProbabilityScore 3 to 1 - Impact Score 1 2 Probability Score 2.5 to 1 - Impact Score 2 3 Probability Score 3 to 2.5 – Impact Score 2; Probability Score 3 to 1 – Impact Score 3 The Macro View: Prioritizing Risk
  • 9.
    9 Business Continuity RiskAssessment – Firm Perspectives in Approach Citigroup
  • 10.
    10 Sub-processes, Recovery Strategies & Requirements Sub-processes, RecoveryStrategies & Requirements Threat & Vulnerability Assessment (TVA) BIA Business Impact Analysis TVA Threat & Vulnerability Assessment SRA Sector Risk Assessment SRA Sector Risk Assessment BIA Business Impact Analysis The purpose of the TVA is to: • Determine standard threat scenarios and planning constraints • Identify vulnerability, symbolic value, single point of failure, or concentration of resources • Composite Resilience Rating
  • 11.
    11 Cross Functional Collaboration •Perimeter security • VIP security • Proximity to other known militant targets • Utility diversity • Fire suppression • Electrical grids • UPS and generators • Egress and risers • Dual paths • Data Center strategy • Concentration of Infrastructure • People Strategy • Single point of failure • Perimeter security • VIP security • Proximity to other known militant targets • Utility diversity • Fire suppression • Electrical grids • UPS and generators • Egress and risers • Dual paths • Data Center strategy • Concentration of Infrastructure • People Strategy • Single point of failure SecuritySecurity FacilitiesFacilities TechnologyTechnology HRHR • Physical security• Physical security • Physical plant resilience• Physical plant resilience • Infrastructure resilience• Infrastructure resilience • Personnel• Personnel Team Lead: Office of Business Continuity TVA Team Expertise Example Components
  • 12.
    12 TVA: Threats Fora Facility include … • Vulnerability – low, medium, or high • Symbolic Value as a Target – low, medium, or high • Single Points of Failure – resources that do not have redundancy at another Citigroup facility
  • 13.
    13 TVA: Threats ata Facility (continued) Threats include: • Regional Blackout • Civil Unrest • Telecom Utility Interruptions • Epidemic • Hurricane • Flood • Earthquake • Bomb • Terrorist Event • Sabotage
  • 14.
    14 TVA: Threat ata Facility (continued) • For each potential threat the worst- case scenario is considered: Outage duration range days, weeks, or months Radius impacted <30 miles or >30 miles (50 km) Loss probability low, medium, or high • Then a composite resilience rating is calculated by the team
  • 15.
    15 TVA: Consistent Output(continued) Standard Threats, scenarios, and planning constraints Vulnerability, symbolic value, single point of failure, proximity, or concentration of resources Composite Resilience Rating Threats Outage Duration Range Radius Impacted Scope of Infrastructure Services Affected (Potential) Regional Blackout Days >30 miles Many Civil Unrest Days >30 miles Some Telco Interruption Days <30 miles Few Health Epidemic Weeks >30 miles Many Terrorist Event (multiple) Weeks >30 miles Many Sabotage of Facilities Weeks <30 miles Some Hurricane/ Typhoon Weeks >30 miles (Cat 4/5) Some Tornado Weeks-Mos >30 miles (F 4/5) Some Flood Weeks-Mos >30 miles Some Earthquake Weeks-Mos >30 miles (>6.0) Many Bio/chemical release Months <30 miles Many Dirty Bomb Months <30 miles Some
  • 16.
    16 Business Continuity RiskAssessment – Firm Perspectives in Approach Credit Suisse First Boston (CSFB)
  • 17.
    17 CSFB Business ContinuityPrioritization of Processes / Products Tier 1 – Critical Process(es) and/or associated products which are required for the bank to survive or whose unavailability would cause irreparable damage to the bank. This includes all core technology infrastructure systems and facilities on which all applications and data are dependent to conduct these processes. (e.g., funding the bank and associated settlement risks, safeguarding firm and customer assets, manage market and credit risks, etc.) Tier 2 – Required Process(es) and/or associated products whose availability is mandated by either regulatory requirements, customer or market obligations and/or business priorities. Tier 3 – Less Critical Process(es) and/or associated products that either have a delayed recovery timeframe or for which recovery can be deferred.
  • 18.
    18 Risk Weighting CriteriaUsed by CSFB CSFB takes into consideration two key factors by location in weighing business continuity risks. The first is the relative importance of a physical location from a business perspective and the second is the associated threat(s) at that location. Business Importance by Location 1. Financial Exposures a) Revenue Exposure or Opportunity Cost (foregone revenues due to inability to execute trades) b) Market Exposure or Value at Risk (capital loss on principal positions due to adverse market movements) c) Contractual and Reputation Exposure (costs of inability to perform contractual obligations and long- term impact of damaged customer franchise) 2. Presence of Business Functions/Processes and Products transacted 3. Presence of Technology Infrastructure supporting Business Functions/Processes and Products Threats Associated by Location 1. Environmental Risk a) Physical Threats (e.g., inclement weather, earthquakes, civil unrest, etc.) b) Municipal Utility Infrastructure (e.g, power, water) c) Telecommunications Infrastructure d) Transportation Infrastructure e) Health Care Infrastructure 2. Staff Concentration Risk 3. Technology Risk 4. Facility Risk
  • 19.
    19 Business Continuity ImpactScenarios Assumed by CSFB Partial Loss Planning Time Horizon: Intraday (Up to start of next business day) Assumes no physical destruction of facilities or systems. Business unit staff would either wait for IT and/or facilities disruption to be remediated or invoke business continuity plans. Internal outages/failures; examples: partial power outage or hardware/software failure. Denial of Access Planning Time Horizon: Up to 3 days Assumes no physical destruction of facilities or systems. Business unit staff would need to evacuate or be denied access to their primary office space. Examples: Transit strike, inclement weather, bomb scare, gas leak, civil unrest. Total Loss Planning Time Horizon: Up to 1 month or longer * Assumes physical destruction of facilities, systems and/or people. Examples: Terrorist attack, earthquake, catastrophic fire, flood. Loss of Key External Interdependencies Planning Time Horizon: Variable dependent on whether impact to CSFB is a Partial Loss, Denial of Access or Total Loss Assumes interruption of service provided by Third Party Service Providers, Exchanges, Industry Utilities, Clearing Corporations, and/or Market Data Systems (e.g., pricing/news/market analysis information, communications, trade execution/deal capture, etc.). Also assumes interruption of services provided by CSFB. * If the event is a Total Loss of primary data center collocated with people, then impact duration starts on Day 1. However, if the event is a Denial of Access to a data center facility lasting more than 3 days, then it is considered a Total Loss event.
  • 20.
    20 Business Recovery/Resiliency Strategy Options– Considerations for Risk Mitigation Impact Scenario Probability of Occurrence Business Recovery / Resiliency Strategy Option Estimated Recurring Cost Speed Of Recovery Difficulty of Recovery Split/Shared Production L H L Transference L H M Displacement Seating L M L Remote* L M M Manual Workarounds L M M Internal Recovery/ Contingency Seating – Dedicated Trading H M M Internal Recovery/ Contingency Seating – Dedicated Non-Trading H M M Internal Recovery/ Contingency Seating – Shared Non-Trading H M M Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H M M Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H Split/Shared Production L H L Transference L H M Displacement Seating L M L Remote* L M M Manual Workarounds L M M Internal Recovery/ Contingency Seating – Dedicated Trading H L H Internal Recovery/ Contingency Seating – Dedicated Non-Trading H L H Internal Recovery/ Contingency Seating – Shared Non-Trading H L H Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H L H Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H Split/Shared Production L H L Transference L H M Displacement Seating L M M Remote* L M M Manual Workarounds L M M Total Loss Low Relative Partial Loss High Denial of Access Medium Legend H = High M = Medium L = Low Remote* - Availability, functionality and capacity of key systems varies by business and by type of remote access
  • 21.
    21 New York Downtown Campus JerseyCity Site A Jersey City Site B Central NJ Office and Data Center Jersey City Site C Jersey City DR Data Center Current State New York Downtown Campus Proposed Interim State Proposed Future State BAU Assets BCP/ DR Assets Through the use of optimized traditional and alternative recovery and resiliency strategies, utilization of Business-As-Usual (BAU) firm assets (people, facilities and technology) increase while physical concentration risks are mitigated and DR-only overhead costs are reduced. Traditional Recovery – Dedicated or shared contingency seats (internally managed or third party) Alternative Recovery – Displacement, remote computing, transference, split production BAU Assets BCP/DR Assets Legend Jersey City Site A Jersey City Site B Southeastern US Office Jersey City DR Data Center Southeastern US Office and Data Center Asia New York Downtown Campus LondonAsia Midtown Office Midtown Office Northern NJ DR Data Center Northern NJ DR Data Center London Central NJ Office and Data Center Central NJ Office and Data Center London Business Continuity Risk Mitigating Strategies – Illustrative Optimization Over Time Jersey City Site A Midtown Office