Economic Consequence Analysis, Prof. Adam Rose, USC
2005_SIA_BCP_Conf
1. Greg Ferris – Executive Director, Morgan Stanley
John Odermatt – Corporate Director, Citigroup
Peter Poulos – Director, Credit Suisse First Boston (CSFB)
Workshop: Lessons in Risk Assessment
2. 2
Workshop Overview
1. Introductions
2. Business Continuity Risk Assessment – Firm
Perspectives in Approach
• Morgan Stanley
• Citigroup
• Credit Suisse First Boston (CSFB)
3. Questions & Answers
4. 4
Crit 2 Crit 1
Crit 2Crit 3
Life safety mitigation and
response will be constant
in all locations
Prioritize business risks:
Crit 1 – Mitigation and
response solutions in place
for all risks
Crit 2 – Mitigation solutions
in place for some risks.
Response solutions in place
for all.
Crit 3 – No mitigation
solutions in place.
Response solutions in place
for all.
Analysis performed at the
regional and divisional
level
Probability
Impact
The Macro View: Prioritizing Risk – Determining
What Matters Most
5. 5
Identifying Risks
– Think about the events (natural and man made) that could interrupt the normal flow of
operations and/or threaten the well being of employees
– Don’t focus purely on disasters in the classic sense
– Try to focus on the effect of the problem as opposed to it’s cause
Assessing Risk
– Assess the probability/impact of each risk statement
– Provide a criticality ranking for each
The Macro View: Cataloging and Assessing Risk
6. 6
Probability Scoring
1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen)
2 33 to 65 percent chance of occurrence (likely to happen)
3 Less than 33 percent chance of occurrence (not likely to occur)
Impact Scoring
1 Outage will result in inability to meet regulatory requirements and introduce excessive risk
2 Outage will not impede ability to meet regulatory requirements or excessive risk, but will
impact client service functions
3 Outage will not affect critical functions and/or critical functions are easily failed over
Getting Started: Assessing Probabilities and
Impacts
7. 7
Probability Scoring
1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen)
2 33 to 65 percent chance of occurrence (likely to happen)
3 Less than 33 percent chance of occurrence (not likely to occur)
Impact Scoring
1 Outage will result in unacceptable risk to New Jersey’s citizens and/or assets
2 Outage will not result in unacceptable risk to New Jersey’s citizens and/or assets, but will
impact continuity of government and/or the ability to communicate with all levels of
government
3 Outage will not affect critical functions and/or critical functions are easily failed over
The Macro View: Assessing Risk
8. 8
Criticality Assessment
1 Probability Score 3 to 1 - Impact Score 1
2 Probability Score 2.5 to 1 - Impact Score 2
3 Probability Score 3 to 2.5 – Impact Score 2; Probability Score 3 to 1 –
Impact Score 3
The Macro View: Prioritizing Risk
10. 10
Sub-processes,
Recovery Strategies
& Requirements
Sub-processes,
Recovery Strategies
& Requirements
Threat & Vulnerability Assessment (TVA)
BIA
Business Impact
Analysis
TVA
Threat & Vulnerability
Assessment
SRA
Sector Risk Assessment
SRA
Sector Risk Assessment
BIA
Business Impact
Analysis
The purpose of the TVA is to:
• Determine standard threat scenarios and planning
constraints
• Identify vulnerability, symbolic value, single point of failure,
or concentration of resources
• Composite Resilience Rating
11. 11
Cross Functional Collaboration
• Perimeter security
• VIP security
• Proximity to other known militant targets
• Utility diversity
• Fire suppression
• Electrical grids
• UPS and generators
• Egress and risers
• Dual paths
• Data Center strategy
• Concentration of Infrastructure
• People Strategy
• Single point of failure
• Perimeter security
• VIP security
• Proximity to other known militant targets
• Utility diversity
• Fire suppression
• Electrical grids
• UPS and generators
• Egress and risers
• Dual paths
• Data Center strategy
• Concentration of Infrastructure
• People Strategy
• Single point of failure
SecuritySecurity
FacilitiesFacilities
TechnologyTechnology
HRHR
• Physical security• Physical security
• Physical plant resilience• Physical plant resilience
• Infrastructure resilience• Infrastructure resilience
• Personnel• Personnel
Team Lead: Office of
Business Continuity
TVA Team Expertise Example Components
12. 12
TVA: Threats For a Facility include …
• Vulnerability
– low, medium, or high
• Symbolic Value as a Target
– low, medium, or high
• Single Points of Failure
– resources that do not have
redundancy at another
Citigroup facility
14. 14
TVA: Threat at a Facility (continued)
• For each potential threat the worst-
case scenario is considered:
Outage duration range
days, weeks, or months
Radius impacted
<30 miles or >30 miles (50 km)
Loss probability
low, medium, or high
• Then a composite resilience rating is
calculated by the team
15. 15
TVA: Consistent Output (continued)
Standard
Threats,
scenarios, and
planning
constraints
Vulnerability,
symbolic value,
single point of
failure, proximity,
or concentration
of resources
Composite
Resilience
Rating
Threats
Outage
Duration
Range Radius Impacted
Scope of
Infrastructure
Services
Affected
(Potential)
Regional Blackout Days >30 miles Many
Civil Unrest Days >30 miles Some
Telco Interruption Days <30 miles Few
Health Epidemic Weeks >30 miles Many
Terrorist Event (multiple) Weeks >30 miles Many
Sabotage of Facilities Weeks <30 miles Some
Hurricane/ Typhoon Weeks >30 miles (Cat 4/5) Some
Tornado Weeks-Mos >30 miles (F 4/5) Some
Flood Weeks-Mos >30 miles Some
Earthquake Weeks-Mos >30 miles (>6.0) Many
Bio/chemical release Months <30 miles Many
Dirty Bomb Months <30 miles Some
17. 17
CSFB Business Continuity Prioritization of
Processes / Products
Tier 1 – Critical
Process(es) and/or associated products which are required for the bank to survive or whose
unavailability would cause irreparable damage to the bank. This includes all core technology
infrastructure systems and facilities on which all applications and data are dependent to conduct
these processes. (e.g., funding the bank and associated settlement risks, safeguarding firm and
customer assets, manage market and credit risks, etc.)
Tier 2 – Required
Process(es) and/or associated products whose availability is mandated by either regulatory
requirements, customer or market obligations and/or business priorities.
Tier 3 – Less Critical
Process(es) and/or associated products that either have a delayed recovery timeframe or for
which recovery can be deferred.
18. 18
Risk Weighting Criteria Used by CSFB
CSFB takes into consideration two key factors by location in weighing business continuity risks. The first
is the relative importance of a physical location from a business perspective and the second is the
associated threat(s) at that location.
Business Importance by Location
1. Financial Exposures
a) Revenue Exposure or Opportunity Cost (foregone revenues due to inability to execute trades)
b) Market Exposure or Value at Risk (capital loss on principal positions due to adverse market
movements)
c) Contractual and Reputation Exposure (costs of inability to perform contractual obligations and long-
term impact of damaged customer franchise)
2. Presence of Business Functions/Processes and Products transacted
3. Presence of Technology Infrastructure supporting Business Functions/Processes and Products
Threats Associated by Location
1. Environmental Risk
a) Physical Threats (e.g., inclement weather, earthquakes, civil unrest, etc.)
b) Municipal Utility Infrastructure (e.g, power, water)
c) Telecommunications Infrastructure
d) Transportation Infrastructure
e) Health Care Infrastructure
2. Staff Concentration Risk
3. Technology Risk
4. Facility Risk
19. 19
Business Continuity Impact Scenarios Assumed
by CSFB
Partial Loss
Planning Time Horizon: Intraday (Up to start of next business day)
Assumes no physical destruction of facilities or systems.
Business unit staff would either wait for IT and/or facilities
disruption to be remediated or invoke business continuity
plans. Internal outages/failures; examples: partial power
outage or hardware/software failure.
Denial of Access
Planning Time Horizon: Up to 3 days
Assumes no physical destruction of facilities or systems.
Business unit staff would need to evacuate or be denied access
to their primary office space. Examples: Transit strike, inclement
weather, bomb scare, gas leak, civil unrest.
Total Loss
Planning Time Horizon: Up to 1 month or longer *
Assumes physical destruction of facilities, systems and/or
people. Examples: Terrorist attack, earthquake, catastrophic fire,
flood.
Loss of Key External Interdependencies
Planning Time Horizon: Variable dependent on whether impact to
CSFB is a Partial Loss, Denial of Access or Total Loss
Assumes interruption of service provided by Third Party Service
Providers, Exchanges, Industry Utilities, Clearing Corporations,
and/or Market Data Systems (e.g., pricing/news/market analysis
information, communications, trade execution/deal capture,
etc.). Also assumes interruption of services provided by CSFB.
* If the event is a Total Loss of primary data center collocated with people, then impact duration starts on Day 1. However, if the
event is a Denial of Access to a data center facility lasting more than 3 days, then it is considered a Total Loss event.
20. 20
Business Recovery/Resiliency Strategy
Options – Considerations for Risk Mitigation
Impact Scenario Probability
of
Occurrence
Business Recovery / Resiliency Strategy Option Estimated
Recurring
Cost
Speed Of
Recovery
Difficulty of
Recovery
Split/Shared Production L H L
Transference L H M
Displacement Seating L M L
Remote* L M M
Manual Workarounds L M M
Internal Recovery/ Contingency Seating – Dedicated Trading H M M
Internal Recovery/ Contingency Seating – Dedicated Non-Trading H M M
Internal Recovery/ Contingency Seating – Shared Non-Trading H M M
Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H M M
Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H
Split/Shared Production L H L
Transference L H M
Displacement Seating L M L
Remote* L M M
Manual Workarounds L M M
Internal Recovery/ Contingency Seating – Dedicated Trading H L H
Internal Recovery/ Contingency Seating – Dedicated Non-Trading H L H
Internal Recovery/ Contingency Seating – Shared Non-Trading H L H
Third Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H L H
Third Party Provider Recovery/ Contingency Seating - Shared Non Trading M L H
Split/Shared Production L H L
Transference L H M
Displacement Seating L M M
Remote* L M M
Manual Workarounds L M M
Total Loss Low
Relative
Partial Loss High
Denial of Access Medium
Legend
H = High
M = Medium
L = Low
Remote* - Availability, functionality and capacity of key systems varies by business and by type of remote access
21. 21
New York Downtown
Campus
Jersey City
Site A
Jersey City
Site B
Central NJ
Office and
Data
Center
Jersey City
Site C
Jersey City
DR Data
Center
Current State
New York Downtown
Campus
Proposed Interim State Proposed Future State
BAU
Assets
BCP/
DR
Assets
Through the use of optimized traditional and alternative recovery and resiliency
strategies, utilization of Business-As-Usual (BAU) firm assets (people, facilities and
technology) increase while physical concentration risks are mitigated and DR-only
overhead costs are reduced.
Traditional Recovery – Dedicated or shared contingency seats
(internally managed or third party)
Alternative Recovery – Displacement, remote computing,
transference, split production
BAU Assets
BCP/DR Assets
Legend
Jersey City
Site A
Jersey City
Site B
Southeastern
US Office
Jersey City
DR Data
Center
Southeastern
US Office and
Data Center
Asia New York Downtown
Campus
LondonAsia
Midtown
Office
Midtown
Office
Northern NJ
DR Data
Center
Northern NJ
DR Data
Center
London
Central NJ
Office and
Data Center
Central NJ
Office and
Data Center
London
Business Continuity Risk Mitigating Strategies –
Illustrative Optimization Over Time
Jersey City
Site A
Midtown
Office