SlideShare a Scribd company logo

2005_SIA_BCP_Conf

Peter Poulos
Peter Poulos
1 of 21
Download to read offline
Greg Ferris – Executive Director, Morgan Stanley John Odermatt – Corporate Director, Citigroup Peter Poulos – Director, Credit Suisse First Boston (CSFB) Workshop: Lessons in Risk Assessment
2 Workshop Overview 1. Introductions 2. Business Continuity Risk Assessment – Firm Perspectives in Approach • Morgan Stanley • Citigroup • Credit Suisse First Boston (CSFB) 3. Questions & Answers
3 Business Continuity Risk Assessment – Firm Perspectives in Approach Morgan Stanley
4 Crit 2 Crit 1 Crit 2Crit 3 Life safety mitigation and response will be constant in all locations Prioritize business risks: Crit 1 – Mitigation and response solutions in place for all risks Crit 2 – Mitigation solutions in place for some risks. Response solutions in place for all. Crit 3 – No mitigation solutions in place. Response solutions in place for all. Analysis performed at the regional and divisional level Probability Impact The Macro View: Prioritizing Risk – Determining What Matters Most
5 Identifying Risks – Think about the events (natural and man made) that could interrupt the normal flow of operations and/or threaten the well being of employees – Don’t focus purely on disasters in the classic sense – Try to focus on the effect of the problem as opposed to it’s cause Assessing Risk – Assess the probability/impact of each risk statement – Provide a criticality ranking for each The Macro View: Cataloging and Assessing Risk
6 Probability Scoring 1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen) 2 33 to 65 percent chance of occurrence (likely to happen) 3 Less than 33 percent chance of occurrence (not likely to occur) Impact Scoring 1 Outage will result in inability to meet regulatory requirements and introduce excessive risk 2 Outage will not impede ability to meet regulatory requirements or excessive risk, but will impact client service functions 3 Outage will not affect critical functions and/or critical functions are easily failed over Getting Started: Assessing Probabilities and Impacts
7 Probability Scoring 1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen) 2 33 to 65 percent chance of occurrence (likely to happen) 3 Less than 33 percent chance of occurrence (not likely to occur) Impact Scoring 1 Outage will result in unacceptable risk to New Jersey’s citizens and/or assets 2 Outage will not result in unacceptable risk to New Jersey’s citizens and/or assets, but will impact continuity of government and/or the ability to communicate with all levels of government 3 Outage will not affect critical functions and/or critical functions are easily failed over The Macro View: Assessing Risk
8 Criticality Assessment 1 Probability Score 3 to 1 - Impact Score 1 2 Probability Score 2.5 to 1 - Impact Score 2 3 Probability Score 3 to 2.5 – Impact Score 2; Probability Score 3 to 1 – Impact Score 3 The Macro View: Prioritizing Risk
9 Business Continuity Risk Assessment – Firm Perspectives in Approach Citigroup
10 Sub-processes, Recovery Strategies & Requirements Sub-processes, Recovery Strategies & Requirements Threat & Vulnerability Assessment (TVA) BIA Business Impact Analysis TVA Threat & Vulnerability Assessment SRA Sector Risk Assessment SRA Sector Risk Assessment BIA Business Impact Analysis The purpose of the TVA is to: • Determine standard threat scenarios and planning constraints • Identify vulnerability, symbolic value, single point of failure, or concentration of resources • Composite Resilience Rating
11 Cross Functional Collaboration • Perimeter security • VIP security • Proximity to other known militant targets • Utility diversity • Fire suppression • Electrical grids • UPS and generators • Egress and risers • Dual paths • Data Center strategy • Concentration of Infrastructure • People Strategy • Single point of failure • Perimeter security • VIP security • Proximity to other known militant targets • Utility diversity • Fire suppression • Electrical grids • UPS and generators • Egress and risers • Dual paths • Data Center strategy • Concentration of Infrastructure • People Strategy • Single point of failure SecuritySecurity FacilitiesFacilities TechnologyTechnology HRHR • Physical security• Physical security • Physical plant resilience• Physical plant resilience • Infrastructure resilience• Infrastructure resilience • Personnel• Personnel Team Lead: Office of Business Continuity TVA Team Expertise Example Components
12 TVA: Threats For a Facility include … • Vulnerability – low, medium, or high • Symbolic Value as a Target – low, medium, or high • Single Points of Failure – resources that do not have redundancy at another Citigroup facility
13 TVA: Threats at a Facility (continued) Threats include: • Regional Blackout • Civil Unrest • Telecom Utility Interruptions • Epidemic • Hurricane • Flood • Earthquake • Bomb • Terrorist Event • Sabotage
14 TVA: Threat at a Facility (continued) • For each potential threat the worst- case scenario is considered: Outage duration range days, weeks, or months Radius impacted <30 miles or >30 miles (50 km) Loss probability low, medium, or high • Then a composite resilience rating is calculated by the team
15 TVA: Consistent Output (continued) Standard Threats, scenarios, and planning constraints Vulnerability, symbolic value, single point of failure, proximity, or concentration of resources Composite Resilience Rating Threats Outage Duration Range Radius Impacted Scope of Infrastructure Services Affected (Potential) Regional Blackout Days >30 miles Many Civil Unrest Days >30 miles Some Telco Interruption Days <30 miles Few Health Epidemic Weeks >30 miles Many Terrorist Event (multiple) Weeks >30 miles Many Sabotage of Facilities Weeks <30 miles Some Hurricane/ Typhoon Weeks >30 miles (Cat 4/5) Some Tornado Weeks-Mos >30 miles (F 4/5) Some Flood Weeks-Mos >30 miles Some Earthquake Weeks-Mos >30 miles (>6.0) Many Bio/chemical release Months <30 miles Many Dirty Bomb Months <30 miles Some
16 Business Continuity Risk Assessment – Firm Perspectives in Approach Credit Suisse First Boston (CSFB)
17 CSFB Business Continuity Prioritization of Processes / Products Tier 1 – Critical Process(es) and/or associated products which are required for the bank to survive or whose unavailability would cause irreparable damage to the bank. This includes all core technology infrastructure systems and facilities on which all applications and data are dependent to conduct these processes. (e.g., funding the bank and associated settlement risks, safeguarding firm and customer assets, manage market and credit risks, etc.) Tier 2 – Required Process(es) and/or associated products whose availability is mandated by either regulatory requirements, customer or market obligations and/or business priorities. Tier 3 – Less Critical Process(es) and/or associated products that either have a delayed recovery timeframe or for which recovery can be deferred.
18 Risk Weighting Criteria Used by CSFB CSFB takes into consideration two key factors by location in weighing business continuity risks. The first is the relative importance of a physical location from a business perspective and the second is the associated threat(s) at that location. Business Importance by Location 1. Financial Exposures a) Revenue Exposure or Opportunity Cost (foregone revenues due to inability to execute trades) b) Market Exposure or Value at Risk (capital loss on principal positions due to adverse market movements) c) Contractual and Reputation Exposure (costs of inability to perform contractual obligations and long- term impact of damaged customer franchise) 2. Presence of Business Functions/Processes and Products transacted 3. Presence of Technology Infrastructure supporting Business Functions/Processes and Products Threats Associated by Location 1. Environmental Risk a) Physical Threats (e.g., inclement weather, earthquakes, civil unrest, etc.) b) Municipal Utility Infrastructure (e.g, power, water) c) Telecommunications Infrastructure d) Transportation Infrastructure e) Health Care Infrastructure 2. Staff Concentration Risk 3. Technology Risk 4. Facility Risk
19 Business Continuity Impact Scenarios Assumed by CSFB Partial Loss Planning Time Horizon: Intraday (Up to start of next business day) Assumes no physical destruction of facilities or systems. Business unit staff would either wait for IT and/or facilities disruption to be remediated or invoke business continuity plans. Internal outages/failures; examples: partial power outage or hardware/software failure. Denial of Access Planning Time Horizon: Up to 3 days Assumes no physical destruction of facilities or systems. Business unit staff would need to evacuate or be denied access to their primary office space. Examples: Transit strike, inclement weather, bomb scare, gas leak, civil unrest. Total Loss Planning Time Horizon: Up to 1 month or longer * Assumes physical destruction of facilities, systems and/or people. Examples: Terrorist attack, earthquake, catastrophic fire, flood. Loss of Key External Interdependencies Planning Time Horizon: Variable dependent on whether impact to CSFB is a Partial Loss, Denial of Access or Total Loss Assumes interruption of service provided by Third Party Service Providers, Exchanges, Industry Utilities, Clearing Corporations, and/or Market Data Systems (e.g., pricing/news/market analysis information, communications, trade execution/deal capture, etc.). Also assumes interruption of services provided by CSFB. * If the event is a Total Loss of primary data center collocated with people, then impact duration starts on Day 1. However, if the event is a Denial of Access to a data center facility lasting more than 3 days, then it is considered a Total Loss event.
20 Business Recovery/Resiliency Strategy Options – Considerations for Risk Mitigation Impact Scenario Probability of Occurrence Business Recovery / Resiliency Strategy Option Estimated Recurring Cost Speed Of Recovery Difficulty of Recovery Split/Shared Production L H L Transference L H M Displacement Seating L M L Remote* L M M Manual Workarounds L M M Internal Recovery/ Contingency Seating – Dedicated Trading H M M Internal Recovery/ Contingency Seating – Dedicated Non-Trading H M M Internal Recovery/ Contingency Seating – Shared Non-Trading H M M Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H M M Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H Split/Shared Production L H L Transference L H M Displacement Seating L M L Remote* L M M Manual Workarounds L M M Internal Recovery/ Contingency Seating – Dedicated Trading H L H Internal Recovery/ Contingency Seating – Dedicated Non-Trading H L H Internal Recovery/ Contingency Seating – Shared Non-Trading H L H Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H L H Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H Split/Shared Production L H L Transference L H M Displacement Seating L M M Remote* L M M Manual Workarounds L M M Total Loss Low Relative Partial Loss High Denial of Access Medium Legend H = High M = Medium L = Low Remote* - Availability, functionality and capacity of key systems varies by business and by type of remote access
21 New York Downtown Campus Jersey City Site A Jersey City Site B Central NJ Office and Data Center Jersey City Site C Jersey City DR Data Center Current State New York Downtown Campus Proposed Interim State Proposed Future State BAU Assets BCP/ DR Assets Through the use of optimized traditional and alternative recovery and resiliency strategies, utilization of Business-As-Usual (BAU) firm assets (people, facilities and technology) increase while physical concentration risks are mitigated and DR-only overhead costs are reduced. Traditional Recovery – Dedicated or shared contingency seats (internally managed or third party) Alternative Recovery – Displacement, remote computing, transference, split production BAU Assets BCP/DR Assets Legend Jersey City Site A Jersey City Site B Southeastern US Office Jersey City DR Data Center Southeastern US Office and Data Center Asia New York Downtown Campus LondonAsia Midtown Office Midtown Office Northern NJ DR Data Center Northern NJ DR Data Center London Central NJ Office and Data Center Central NJ Office and Data Center London Business Continuity Risk Mitigating Strategies – Illustrative Optimization Over Time Jersey City Site A Midtown Office

Recommended

Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity ManagementProf. David E. Alexander (UCL)
 
Contingency Planning Guide
Contingency Planning GuideContingency Planning Guide
Contingency Planning Guiderlynes
 
IT Risk managment combined
IT Risk managment combinedIT Risk managment combined
IT Risk managment combinedGlen Alleman
 
Business Contingency Planning
Business Contingency PlanningBusiness Contingency Planning
Business Contingency Planningahmad bassiouny
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Crisis management and Disaster Recovery V21
Crisis management and Disaster Recovery V21Crisis management and Disaster Recovery V21
Crisis management and Disaster Recovery V21Jorge Sebastiao
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCognizant
 
Doug brown
Doug brownDoug brown
Doug brownNASAPMC
 

Recommended

Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity ManagementProf. David E. Alexander (UCL)
 
Contingency Planning Guide
Contingency Planning GuideContingency Planning Guide
Contingency Planning Guiderlynes
 
IT Risk managment combined
IT Risk managment combinedIT Risk managment combined
IT Risk managment combinedGlen Alleman
 
Business Contingency Planning
Business Contingency PlanningBusiness Contingency Planning
Business Contingency Planningahmad bassiouny
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Crisis management and Disaster Recovery V21
Crisis management and Disaster Recovery V21Crisis management and Disaster Recovery V21
Crisis management and Disaster Recovery V21Jorge Sebastiao
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCognizant
 
Doug brown
Doug brownDoug brown
Doug brownNASAPMC
 
Rolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyRolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyBank Alfalah Limited
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfieldNASAPMC
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management Continuity and Resilience
 
Improved Risk Analysis Through Failure Mode Classification According to Occur...
Improved Risk Analysis Through Failure Mode Classification According to Occur...Improved Risk Analysis Through Failure Mode Classification According to Occur...
Improved Risk Analysis Through Failure Mode Classification According to Occur...Ravish P.Y. Mehairjan
 
Srm
SrmSrm
SrmTim Smith
 
Risk managment in aviation environment
Risk managment in aviation environmentRisk managment in aviation environment
Risk managment in aviation environmentCristiane Freitas
 
Bt8901 objective oriented systems2
Bt8901 objective oriented systems2Bt8901 objective oriented systems2
Bt8901 objective oriented systems2Techglyphs
 
Irs intro unit 3 basic features usfs ip (2)
Irs intro unit 3 basic features usfs ip (2)Irs intro unit 3 basic features usfs ip (2)
Irs intro unit 3 basic features usfs ip (2)neeraj verma
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fairiaemedu
 
Topic 02 human and organizational factors in process industry
Topic 02 human and organizational factors in process industryTopic 02 human and organizational factors in process industry
Topic 02 human and organizational factors in process industryBasitali Nevarekar
 
Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides SlideTeam
 
Incident managment plan
Incident managment planIncident managment plan
Incident managment planSafwan Hashmi
 
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...A Makwana
 
Bcm Roadmap
Bcm RoadmapBcm Roadmap
Bcm Roadmapbtrmuray
 
Risk Management Plan Example
Risk Management Plan ExampleRisk Management Plan Example
Risk Management Plan ExampleTHE HANG SENG UNIVERSITY OF HONG KONG
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)rafeeqameen
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case StudyPraveen Vackayil
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Alex Apostolou
 
Practical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_AvoidancePractical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_AvoidanceJoe Soroka
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineGraeme Parker
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 

More Related Content

What's hot

Rolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyRolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyBank Alfalah Limited
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfieldNASAPMC
 
Improved Risk Analysis Through Failure Mode Classification According to Occur...
Improved Risk Analysis Through Failure Mode Classification According to Occur...Improved Risk Analysis Through Failure Mode Classification According to Occur...
Improved Risk Analysis Through Failure Mode Classification According to Occur...Ravish P.Y. Mehairjan
 
Risk managment in aviation environment
Risk managment in aviation environmentRisk managment in aviation environment
Risk managment in aviation environmentCristiane Freitas
 
Bt8901 objective oriented systems2
Bt8901 objective oriented systems2Bt8901 objective oriented systems2
Bt8901 objective oriented systems2Techglyphs
 
Irs intro unit 3 basic features usfs ip (2)
Irs intro unit 3 basic features usfs ip (2)Irs intro unit 3 basic features usfs ip (2)
Irs intro unit 3 basic features usfs ip (2)neeraj verma
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fairiaemedu
 
Topic 02 human and organizational factors in process industry
Topic 02 human and organizational factors in process industryTopic 02 human and organizational factors in process industry
Topic 02 human and organizational factors in process industryBasitali Nevarekar
 
Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides SlideTeam
 
Incident managment plan
Incident managment planIncident managment plan
Incident managment planSafwan Hashmi
 
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...A Makwana
 
Bcm Roadmap
Bcm RoadmapBcm Roadmap
Bcm Roadmapbtrmuray
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)rafeeqameen
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case StudyPraveen Vackayil
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Alex Apostolou
 
Practical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_AvoidancePractical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_AvoidanceJoe Soroka
 

What's hot (20)

Rolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer CompanyRolling out Business Continuity Planning (BCP) for Manufacturer Company
Rolling out Business Continuity Planning (BCP) for Manufacturer Company
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management
 
Improved Risk Analysis Through Failure Mode Classification According to Occur...
Improved Risk Analysis Through Failure Mode Classification According to Occur...Improved Risk Analysis Through Failure Mode Classification According to Occur...
Improved Risk Analysis Through Failure Mode Classification According to Occur...
 
Srm
SrmSrm
Srm
 
Risk managment in aviation environment
Risk managment in aviation environmentRisk managment in aviation environment
Risk managment in aviation environment
 
Bt8901 objective oriented systems2
Bt8901 objective oriented systems2Bt8901 objective oriented systems2
Bt8901 objective oriented systems2
 
Irs intro unit 3 basic features usfs ip (2)
Irs intro unit 3 basic features usfs ip (2)Irs intro unit 3 basic features usfs ip (2)
Irs intro unit 3 basic features usfs ip (2)
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fair
 
Topic 02 human and organizational factors in process industry
Topic 02 human and organizational factors in process industryTopic 02 human and organizational factors in process industry
Topic 02 human and organizational factors in process industry
 
Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides
 
Incident managment plan
Incident managment planIncident managment plan
Incident managment plan
 
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...
Factors Affecting Risk Management For Construction By Analytic Hierarchy Proc...
 
Bcm Roadmap
Bcm RoadmapBcm Roadmap
Bcm Roadmap
 
Risk Management Plan Example
Risk Management Plan ExampleRisk Management Plan Example
Risk Management Plan Example
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case Study
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...
 
Practical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_AvoidancePractical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_Avoidance
 

Similar to 2005_SIA_BCP_Conf

Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineGraeme Parker
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
ISOL 533 - Information Security and Risk Management R.docx
ISOL 533 - Information Security and Risk Management R.docxISOL 533 - Information Security and Risk Management R.docx
ISOL 533 - Information Security and Risk Management R.docxchristiandean12115
 
Contingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMContingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMWajahat Ali Khan
 
Risk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesRisk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesSlideTeam
 
2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)John Mymryk
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykEryk Budi Pratama
 
Risk Management in Supply chain management
Risk Management in Supply chain managementRisk Management in Supply chain management
Risk Management in Supply chain managementNishikant Rajeshirke
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop FinalBill Lisse
 
2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_ConfPeter Poulos
 
Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesRisk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesSlideTeam
 
Aviation Training, Safety Management System
Aviation Training, Safety Management SystemAviation Training, Safety Management System
Aviation Training, Safety Management Systempghclearingsolutions
 
Business continuity overview
Business continuity overviewBusiness continuity overview
Business continuity overviewRod Davis
 
Risk management plan
Risk management planRisk management plan
Risk management planKashif Mastan
 
Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1Alejandro Perez
 
Risk Evaluation And Mitigation Strategies PowerPoint Presentation Slide
Risk Evaluation And Mitigation Strategies PowerPoint Presentation SlideRisk Evaluation And Mitigation Strategies PowerPoint Presentation Slide
Risk Evaluation And Mitigation Strategies PowerPoint Presentation SlideSlideTeam
 
Economic Consequence Analysis, Prof. Adam Rose, USC
Economic Consequence Analysis, Prof. Adam Rose, USCEconomic Consequence Analysis, Prof. Adam Rose, USC
Economic Consequence Analysis, Prof. Adam Rose, USCOECD Governance
 

Similar to 2005_SIA_BCP_Conf (20)

Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated Discipline
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
 
ISOL 533 - Information Security and Risk Management R.docx
ISOL 533 - Information Security and Risk Management R.docxISOL 533 - Information Security and Risk Management R.docx
ISOL 533 - Information Security and Risk Management R.docx
 
Contingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMContingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATM
 
Risk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesRisk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation Slides
 
2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)
 
Risk management of supply chain
Risk management of supply chainRisk management of supply chain
Risk management of supply chain
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
 
Risk Management in Supply chain management
Risk Management in Supply chain managementRisk Management in Supply chain management
Risk Management in Supply chain management
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
 
2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf
 
Risks in cc
Risks in ccRisks in cc
Risks in cc
 
Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesRisk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
 
Aviation Training, Safety Management System
Aviation Training, Safety Management SystemAviation Training, Safety Management System
Aviation Training, Safety Management System
 
Business continuity overview
Business continuity overviewBusiness continuity overview
Business continuity overview
 
Risk management plan
Risk management planRisk management plan
Risk management plan
 
Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1
 
Risk Evaluation And Mitigation Strategies PowerPoint Presentation Slide
Risk Evaluation And Mitigation Strategies PowerPoint Presentation SlideRisk Evaluation And Mitigation Strategies PowerPoint Presentation Slide
Risk Evaluation And Mitigation Strategies PowerPoint Presentation Slide
 
Economic Consequence Analysis, Prof. Adam Rose, USC
Economic Consequence Analysis, Prof. Adam Rose, USCEconomic Consequence Analysis, Prof. Adam Rose, USC
Economic Consequence Analysis, Prof. Adam Rose, USC
 

2005_SIA_BCP_Conf

  • 1. Greg Ferris – Executive Director, Morgan Stanley John Odermatt – Corporate Director, Citigroup Peter Poulos – Director, Credit Suisse First Boston (CSFB) Workshop: Lessons in Risk Assessment
  • 2. 2 Workshop Overview 1. Introductions 2. Business Continuity Risk Assessment – Firm Perspectives in Approach • Morgan Stanley • Citigroup • Credit Suisse First Boston (CSFB) 3. Questions & Answers
  • 3. 3 Business Continuity Risk Assessment – Firm Perspectives in Approach Morgan Stanley
  • 4. 4 Crit 2 Crit 1 Crit 2Crit 3 Life safety mitigation and response will be constant in all locations Prioritize business risks: Crit 1 – Mitigation and response solutions in place for all risks Crit 2 – Mitigation solutions in place for some risks. Response solutions in place for all. Crit 3 – No mitigation solutions in place. Response solutions in place for all. Analysis performed at the regional and divisional level Probability Impact The Macro View: Prioritizing Risk – Determining What Matters Most
  • 5. 5 Identifying Risks – Think about the events (natural and man made) that could interrupt the normal flow of operations and/or threaten the well being of employees – Don’t focus purely on disasters in the classic sense – Try to focus on the effect of the problem as opposed to it’s cause Assessing Risk – Assess the probability/impact of each risk statement – Provide a criticality ranking for each The Macro View: Cataloging and Assessing Risk
  • 6. 6 Probability Scoring 1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen) 2 33 to 65 percent chance of occurrence (likely to happen) 3 Less than 33 percent chance of occurrence (not likely to occur) Impact Scoring 1 Outage will result in inability to meet regulatory requirements and introduce excessive risk 2 Outage will not impede ability to meet regulatory requirements or excessive risk, but will impact client service functions 3 Outage will not affect critical functions and/or critical functions are easily failed over Getting Started: Assessing Probabilities and Impacts
  • 7. 7 Probability Scoring 1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen) 2 33 to 65 percent chance of occurrence (likely to happen) 3 Less than 33 percent chance of occurrence (not likely to occur) Impact Scoring 1 Outage will result in unacceptable risk to New Jersey’s citizens and/or assets 2 Outage will not result in unacceptable risk to New Jersey’s citizens and/or assets, but will impact continuity of government and/or the ability to communicate with all levels of government 3 Outage will not affect critical functions and/or critical functions are easily failed over The Macro View: Assessing Risk
  • 8. 8 Criticality Assessment 1 Probability Score 3 to 1 - Impact Score 1 2 Probability Score 2.5 to 1 - Impact Score 2 3 Probability Score 3 to 2.5 – Impact Score 2; Probability Score 3 to 1 – Impact Score 3 The Macro View: Prioritizing Risk
  • 9. 9 Business Continuity Risk Assessment – Firm Perspectives in Approach Citigroup
  • 10. 10 Sub-processes, Recovery Strategies & Requirements Sub-processes, Recovery Strategies & Requirements Threat & Vulnerability Assessment (TVA) BIA Business Impact Analysis TVA Threat & Vulnerability Assessment SRA Sector Risk Assessment SRA Sector Risk Assessment BIA Business Impact Analysis The purpose of the TVA is to: • Determine standard threat scenarios and planning constraints • Identify vulnerability, symbolic value, single point of failure, or concentration of resources • Composite Resilience Rating
  • 11. 11 Cross Functional Collaboration • Perimeter security • VIP security • Proximity to other known militant targets • Utility diversity • Fire suppression • Electrical grids • UPS and generators • Egress and risers • Dual paths • Data Center strategy • Concentration of Infrastructure • People Strategy • Single point of failure • Perimeter security • VIP security • Proximity to other known militant targets • Utility diversity • Fire suppression • Electrical grids • UPS and generators • Egress and risers • Dual paths • Data Center strategy • Concentration of Infrastructure • People Strategy • Single point of failure SecuritySecurity FacilitiesFacilities TechnologyTechnology HRHR • Physical security• Physical security • Physical plant resilience• Physical plant resilience • Infrastructure resilience• Infrastructure resilience • Personnel• Personnel Team Lead: Office of Business Continuity TVA Team Expertise Example Components
  • 12. 12 TVA: Threats For a Facility include … • Vulnerability – low, medium, or high • Symbolic Value as a Target – low, medium, or high • Single Points of Failure – resources that do not have redundancy at another Citigroup facility
  • 13. 13 TVA: Threats at a Facility (continued) Threats include: • Regional Blackout • Civil Unrest • Telecom Utility Interruptions • Epidemic • Hurricane • Flood • Earthquake • Bomb • Terrorist Event • Sabotage
  • 14. 14 TVA: Threat at a Facility (continued) • For each potential threat the worst- case scenario is considered: Outage duration range days, weeks, or months Radius impacted <30 miles or >30 miles (50 km) Loss probability low, medium, or high • Then a composite resilience rating is calculated by the team
  • 15. 15 TVA: Consistent Output (continued) Standard Threats, scenarios, and planning constraints Vulnerability, symbolic value, single point of failure, proximity, or concentration of resources Composite Resilience Rating Threats Outage Duration Range Radius Impacted Scope of Infrastructure Services Affected (Potential) Regional Blackout Days >30 miles Many Civil Unrest Days >30 miles Some Telco Interruption Days <30 miles Few Health Epidemic Weeks >30 miles Many Terrorist Event (multiple) Weeks >30 miles Many Sabotage of Facilities Weeks <30 miles Some Hurricane/ Typhoon Weeks >30 miles (Cat 4/5) Some Tornado Weeks-Mos >30 miles (F 4/5) Some Flood Weeks-Mos >30 miles Some Earthquake Weeks-Mos >30 miles (>6.0) Many Bio/chemical release Months <30 miles Many Dirty Bomb Months <30 miles Some
  • 16. 16 Business Continuity Risk Assessment – Firm Perspectives in Approach Credit Suisse First Boston (CSFB)
  • 17. 17 CSFB Business Continuity Prioritization of Processes / Products Tier 1 – Critical Process(es) and/or associated products which are required for the bank to survive or whose unavailability would cause irreparable damage to the bank. This includes all core technology infrastructure systems and facilities on which all applications and data are dependent to conduct these processes. (e.g., funding the bank and associated settlement risks, safeguarding firm and customer assets, manage market and credit risks, etc.) Tier 2 – Required Process(es) and/or associated products whose availability is mandated by either regulatory requirements, customer or market obligations and/or business priorities. Tier 3 – Less Critical Process(es) and/or associated products that either have a delayed recovery timeframe or for which recovery can be deferred.
  • 18. 18 Risk Weighting Criteria Used by CSFB CSFB takes into consideration two key factors by location in weighing business continuity risks. The first is the relative importance of a physical location from a business perspective and the second is the associated threat(s) at that location. Business Importance by Location 1. Financial Exposures a) Revenue Exposure or Opportunity Cost (foregone revenues due to inability to execute trades) b) Market Exposure or Value at Risk (capital loss on principal positions due to adverse market movements) c) Contractual and Reputation Exposure (costs of inability to perform contractual obligations and long- term impact of damaged customer franchise) 2. Presence of Business Functions/Processes and Products transacted 3. Presence of Technology Infrastructure supporting Business Functions/Processes and Products Threats Associated by Location 1. Environmental Risk a) Physical Threats (e.g., inclement weather, earthquakes, civil unrest, etc.) b) Municipal Utility Infrastructure (e.g, power, water) c) Telecommunications Infrastructure d) Transportation Infrastructure e) Health Care Infrastructure 2. Staff Concentration Risk 3. Technology Risk 4. Facility Risk
  • 19. 19 Business Continuity Impact Scenarios Assumed by CSFB Partial Loss Planning Time Horizon: Intraday (Up to start of next business day) Assumes no physical destruction of facilities or systems. Business unit staff would either wait for IT and/or facilities disruption to be remediated or invoke business continuity plans. Internal outages/failures; examples: partial power outage or hardware/software failure. Denial of Access Planning Time Horizon: Up to 3 days Assumes no physical destruction of facilities or systems. Business unit staff would need to evacuate or be denied access to their primary office space. Examples: Transit strike, inclement weather, bomb scare, gas leak, civil unrest. Total Loss Planning Time Horizon: Up to 1 month or longer * Assumes physical destruction of facilities, systems and/or people. Examples: Terrorist attack, earthquake, catastrophic fire, flood. Loss of Key External Interdependencies Planning Time Horizon: Variable dependent on whether impact to CSFB is a Partial Loss, Denial of Access or Total Loss Assumes interruption of service provided by Third Party Service Providers, Exchanges, Industry Utilities, Clearing Corporations, and/or Market Data Systems (e.g., pricing/news/market analysis information, communications, trade execution/deal capture, etc.). Also assumes interruption of services provided by CSFB. * If the event is a Total Loss of primary data center collocated with people, then impact duration starts on Day 1. However, if the event is a Denial of Access to a data center facility lasting more than 3 days, then it is considered a Total Loss event.
  • 20. 20 Business Recovery/Resiliency Strategy Options – Considerations for Risk Mitigation Impact Scenario Probability of Occurrence Business Recovery / Resiliency Strategy Option Estimated Recurring Cost Speed Of Recovery Difficulty of Recovery Split/Shared Production L H L Transference L H M Displacement Seating L M L Remote* L M M Manual Workarounds L M M Internal Recovery/ Contingency Seating – Dedicated Trading H M M Internal Recovery/ Contingency Seating – Dedicated Non-Trading H M M Internal Recovery/ Contingency Seating – Shared Non-Trading H M M Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H M M Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H Split/Shared Production L H L Transference L H M Displacement Seating L M L Remote* L M M Manual Workarounds L M M Internal Recovery/ Contingency Seating – Dedicated Trading H L H Internal Recovery/ Contingency Seating – Dedicated Non-Trading H L H Internal Recovery/ Contingency Seating – Shared Non-Trading H L H Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H L H Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H Split/Shared Production L H L Transference L H M Displacement Seating L M M Remote* L M M Manual Workarounds L M M Total Loss Low Relative Partial Loss High Denial of Access Medium Legend H = High M = Medium L = Low Remote* - Availability, functionality and capacity of key systems varies by business and by type of remote access
  • 21. 21 New York Downtown Campus Jersey City Site A Jersey City Site B Central NJ Office and Data Center Jersey City Site C Jersey City DR Data Center Current State New York Downtown Campus Proposed Interim State Proposed Future State BAU Assets BCP/ DR Assets Through the use of optimized traditional and alternative recovery and resiliency strategies, utilization of Business-As-Usual (BAU) firm assets (people, facilities and technology) increase while physical concentration risks are mitigated and DR-only overhead costs are reduced. Traditional Recovery – Dedicated or shared contingency seats (internally managed or third party) Alternative Recovery – Displacement, remote computing, transference, split production BAU Assets BCP/DR Assets Legend Jersey City Site A Jersey City Site B Southeastern US Office Jersey City DR Data Center Southeastern US Office and Data Center Asia New York Downtown Campus LondonAsia Midtown Office Midtown Office Northern NJ DR Data Center Northern NJ DR Data Center London Central NJ Office and Data Center Central NJ Office and Data Center London Business Continuity Risk Mitigating Strategies – Illustrative Optimization Over Time Jersey City Site A Midtown Office