SlideShare a Scribd company logo

2009_NYC_OpRiskUSA_Conf

Peter Poulos
Peter Poulos

Operational Risk Management, 2nd Edition

1 of 13
Download to read offline
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. TRANSLATING BUSINESS CONTINUITY / RESILIENCYTRANSLATING BUSINESS CONTINUITY / RESILIENCY INTO OPERATIONAL RISK SUCCESSINTO OPERATIONAL RISK SUCCESS Peter Poulos Executive Director Morgan Stanley peter.poulos@morganstanley.com
2 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Objectives of This Session • Overview of Business Continuity / Business Resiliency • Operational Risks Associated with Business Continuity / Resiliency • Determining Business Criticality in Terms of Business Resilience • Understanding Business Impact During Business Disruptive Scenarios • Business Resiliency Risk Remediation and Mitigation Strategies • Opportunities for Convergence Between BCM and ORM Programs • Q & A
3 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Overview of Business Continuity / Business Resiliency – What is Business Continuity Management? Business Continuity Management (BCM) is the unifying process for managing potential risks resulting from unforeseen events such as: • Disruptions to Critical Public Infrastructure (power, telecoms, transportation, etc.) • Internal or External System Failures • Natural Disasters • Severe Weather • Acts of Terrorism • Public Health Crises (e.g., epidemic) BCM typically strives to ensure the business can always operate to a minimum agreed level by helping reduce risk to an acceptable level and planning to restore business processes.
4 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Overview of Business Continuity / Business Resiliency – Evolution of BCM Thinking in the Financial Services IndustryBusinessContinuity “NearImmediateBusiness Resumption” Tokyo Metro Sarin Gas Attack Oklahoma City Bombing Key events revealed the need for a moreKey events revealed the need for a more proactive approachproactive approach -- focused on buildingfocused on building partial resistance and taking into considerationpartial resistance and taking into consideration human and environmental factors. As ahuman and environmental factors. As a result, Business Continuity evolved fromresult, Business Continuity evolved from Disaster Recovery.Disaster Recovery. Mid-to-Late 1980s Early-to-Mid 1990s Early 2000s DisasterRecovery “MissionCriticalDataRecovery” BusinessResiliency “TotalProcessResilience” Y2K Disaster Recovery (DR) thinkingDisaster Recovery (DR) thinking evolved as businesses recognized theevolved as businesses recognized the need to recover and restore data afterneed to recover and restore data after a crisis such as flood, fire ora crisis such as flood, fire or earthquake.earthquake. US Blackout Monetary Authority of Singapore BCP White Paper 9/11/01 1st WTC Bombing Bishopgates London Bombing Sustaining endSustaining end--toto--end business process availabilityend business process availability requires a menu of risk mitigating solutions takingrequires a menu of risk mitigating solutions taking into account business priorities, risk levels and cost.into account business priorities, risk levels and cost. EMU SEC BCP Policy for Trading Markets Mid-to-Late 2000s UK FSA Consultation Paper 142 FINRA (NASD Rules 3510/20) NYSE Rule 446 London Blackout UK 2nd FSA Market-wide Exercise US Fed Interagency Paper on Market Resilience Bank of Japan BCP White Paper UK 1st FSA Market-wide Exercise • 9/11 and subsequent global regulatory changes accelerated business continuity thinking towards “Total Process Resiliency” • Organizations have increased focus on risk mitigation and end-to- end Business Resilience rather than Traditional Disaster Recovery • Clients and Counterparties increasingly focus on the business / operational resiliency of financial services firms • Individual Lines of Business within financial services firms have increased their ownership and accountability for BCP to address the evolving regulatory environment and market expectations Hurricane Katrina Global threat of a Pandemic Outbreak (e.g., Avian Flu) Mumbai Bombings Hurricane Ike (US) 7/7/05 London Bombings Increased regulatory rules require firmsIncreased regulatory rules require firms to create, maintain and file Businessto create, maintain and file Business Continuity Plans to use in event ofContinuity Plans to use in event of significant business disruptions.significant business disruptions.
5 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. STEP 2: Analysis & Strategy Development Activities: Perform End-to-End Process / Product Flow Analysis Identify Gaps and Risks Develop Business Recovery Strategies STEP 4: Maintenance Activities: Ongoing Testing of BCP Management Reporting Conduct Periodic Training to Increase Awareness Periodically Assess Program STEP 1: Data Gathering and Business Prioritization Activities: Gather Data from Business Conversations Conduct a Business Impact Analysis Determine Business Criticality of Processes and Product Lines STEP 3: Determine Risk Mitigating Solutions Activities: Develop End-to-End BC Plans Develop Remediation Plan Remediate Technology Risks Remediate Facility Risks Remediate People & Process Risks ProcessProcess TechnologyTechnology PeoplePeople Gather Analyze Determ ine M aintain Overview of Business Continuity / Business Resiliency – Example of a Business Continuity Management Lifecycle
6 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Operational Risks Associated with Business Continuity / Resiliency (Illustrative) Terrorist Attack, Civil Unrest, Riot, Protest, Labor Strike, etc.Human Event Critical Vendor information is delayed or corrupted Critical Third-Party Services are disrupted due to an outage they experience Vendor or Third-Party Provider Risk Regional Blackout, Steam Pipe Explosion, Water Main Break, Telecom Utility Outage, Public Transportation Service Disruption, etc. Utility OutageExternal Events Close Proximity to an Airport, Railroad, Subway or Chemical Storage Facility Physical Proximity Risk Severe Weather: Blizzard, Hurricane, Typhoon Natural Disaster: Earthquake, Tsunami Infection Disease Outbreak: SARS, Pandemic Flu Natural Event Denial of Service or Computer Virus / Worm OutbreakCyber Attack Data Center or Telecommunications FailureMajor / Severe Technology Outage Systems ExamplesBusiness Continuity / Resiliency Risks Operational Risk Sources
7 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Determining Business Criticality in Terms of Business Resilience – Business Criticality Framework Franchise Critical (Recover within 0-4 hours) Mission Critical by Business (Recover within a Business Day or 4 – 24 hours) Critical by Business (Recover by the Next Business Day or 24 hours) Important by Business (Recover after 2 Business Days or > 48 hours) Not All Business ProcessesNot All Business Processes And Product Lines Are EqualAnd Product Lines Are Equal:: Each Firm Needs to PrioritizeEach Firm Needs to Prioritize Mandated “Top Down” by Executive Management Defined by Line of Business
8 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Determining Business Criticality in Terms of Business Resilience – Suggested Quantitative and Qualitative Business Impact Analysis Factors QUANTITATIVE FACTORS TO DETERMINE BUSINESS CRITICALITY BY PRODUCT LINE: • Average Daily Revenues • Average Daily Volumes • Market Value / VaR • Market Share QUALITATIVE FACTORS TO DETERMINE BUSINESS CRTICALITY BY BUSINESS PROCESS: • Liquidity of the Firm (Y/N) • Client Obligations (Y/N) • Market Obligations (Y/N) • Legal / Regulatory Impact (Y/N) • Other Franchise / Reputation Impact (Y/N)
9 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Understanding Business Impact During Business Disruptive Scenarios RelativeFrequencyofOccurrence Relative Severity of Business Impact Low Medium High Denial of Access Denial of Access Loss of External Service Provider Minor Business Disruptions (N/A for BCP) Total or Catastrophic Loss (Major Hub Office or Campus) Infectious Disease Outbreak Total or Catastrophic Loss (Branch Office) Infectious Disease Outbreak Total or Catastrophic Loss (Satellite / Virtual Office) Loss of External Service Provider Major IT OutageMajor IT Outage Minor Business Disruptions (N/A for BCP) LowMediumHigh Failure of internal systems such as applications, databases and servers due to power failure, flooding, HVAC, fire system failure, etc. Failure of internal or external telecom interfaces to other instiutions, exchanges, clients, etc. Denial of IT service or data corruption due to a cyber (virus) attack Loss of physical access to a MS office building(s) [NOTE: IT SERVICES ARE NOTE IMPACTED] Denial of staff access to office premises due to a physical threat (i.e., bomb, biological or chemical) or physical disruption in close proximity to office premises (e.g., water main break, riot or protest) Significant number of MS personnel are unable to travel to their primary place of work Denial of staff access to office premises due to inclement weather, transportation disruptions, etc. Loss of External Service Providers Loss of services provided by a third-party or vendor Failure of a critical third-party or vendor such as HR benefits and payroll administration, corporate services providers, etc. Infectious Disease Outbreak Significant number of MS personnel are lost or unable to work (high rate of staff absenteeism) Significant loss or unavailability of staff due to a health related emergency such as an epidemic or pandemic Total or Catastrophic Loss Catastrophic loss of one or more MS offices and/or data center facilities due to fire, flood, terrorist attack, natural disaster, etc. This may include wide-scale loss or unavailability of MS staff. Impact may be local (e.g., one building or cluster of buildiings) or regional (city-wide, country-wide, etc.) Events of September 11, 2001 in the U.S. Denial of Access Business Impact Risk Scenarios Definition Examples of Causes Major Technology Outage Significant disruption to one or more data centers hosting MS systems The following tables illustrate Business Impact Risk Scenarios aThe following tables illustrate Business Impact Risk Scenarios and Probability Assumptions.nd Probability Assumptions.
10 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Sustaining endSustaining end--toto--end business process resiliency requires a menu of risk mitigatiend business process resiliency requires a menu of risk mitigating strategies thatng strategies that address business priorities, business impact, risk levels and coaddress business priorities, business impact, risk levels and cost.st. TraditionalRecovery Strategies - Manual workarounds or procedures that are non-system based - Modification to normal business processes or use of alternative system or data - Split or share BAU processes by moving people and processes across geographically dispersed sites to provide overall operational resilience - Displace less critical staff (who may be able to recover remotely or defer their workload) in BAU workspace with more business critical staff - Continue working virtually from a remote location (e.g., home or hotel) using personal or firm PCs - A firm’s internal redundant facility configured only for recovery of its most critical businesses at reduced operating levels - Seats may be dedicated to one business or shared across businesses Alternative Business Processes Split or Shared Operations Office Premises Recovery – Displacement Seating Remote Working Offices Premises Recovery – Internal Contingency Seating Transference - Depending on time zone, utilize other offices of the firm to back-up the same or similar processes (where possible by compliance regulations, staff knowledge) Offices Premises Recovery – External Contingency Seating - An external third-party owned and managed facility configured only for recovery of a firm’s most critical businesses at reduced operating levels - Seats may be guaranteed to a firm (for a premium charge) or not guaranteed (with a risk to lose them to a competitor) - A firm’s internal BAU space such as a training room, cafeteria or auditorium is converted for multi-purposes including use as a recovery site Offices Premises Recovery – On Demand Seating Relative Recurring Cost Levels for BC/DR Use Only DefinitionsBCM Strategy Options AlternativeRecoveryStrategies Lowest Highest TraditionalRecovery Strategies - Manual workarounds or procedures that are non-system based - Modification to normal business processes or use of alternative system or data - Split or share BAU processes by moving people and processes across geographically dispersed sites to provide overall operational resilience - Displace less critical staff (who may be able to recover remotely or defer their workload) in BAU workspace with more business critical staff - Continue working virtually from a remote location (e.g., home or hotel) using personal or firm PCs - A firm’s internal redundant facility configured only for recovery of its most critical businesses at reduced operating levels - Seats may be dedicated to one business or shared across businesses Alternative Business Processes Split or Shared Operations Office Premises Recovery – Displacement Seating Remote Working Offices Premises Recovery – Internal Contingency Seating Transference - Depending on time zone, utilize other offices of the firm to back-up the same or similar processes (where possible by compliance regulations, staff knowledge) Offices Premises Recovery – External Contingency Seating - An external third-party owned and managed facility configured only for recovery of a firm’s most critical businesses at reduced operating levels - Seats may be guaranteed to a firm (for a premium charge) or not guaranteed (with a risk to lose them to a competitor) - A firm’s internal BAU space such as a training room, cafeteria or auditorium is converted for multi-purposes including use as a recovery site Offices Premises Recovery – On Demand Seating Relative Recurring Cost Levels for BC/DR Use Only DefinitionsBCM Strategy Options AlternativeRecoveryStrategies Lowest Highest Business Continuity / Resiliency Risk Mitigation Strategies
11 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Business ContinuityBusiness Continuity ManagementManagement Use of common taxonomyUse of common taxonomy for defining risks, businessfor defining risks, business processes, products andprocesses, products and organizationsorganizations Use of common riskUse of common risk scenarios for businessscenarios for business disruptive eventsdisruptive events Information sharing of:Information sharing of: -- Business disruptionBusiness disruption incident loss dataincident loss data -- Output from assessmentOutput from assessment & analysis efforts& analysis efforts completed in parallelcompleted in parallel Operational RiskOperational Risk ManagementManagement Business Resiliency Risk AssessmentBusiness Resiliency Risk Assessment Business Impact Scenario AnalysisBusiness Impact Scenario Analysis Business Continuity Risk MitigationBusiness Continuity Risk Mitigation Strategy DevelopmentStrategy Development Business Continuity Plan DevelopmentBusiness Continuity Plan Development Business Continuity Plan AwarenessBusiness Continuity Plan Awareness Training & TestingTraining & Testing Issue TrackingIssue Tracking Crisis Management & Incident TrackingCrisis Management & Incident Tracking Operational Risk Incident & LossOperational Risk Incident & Loss Data Collection & AnalysisData Collection & Analysis Risk and Control Self AssessmentsRisk and Control Self Assessments Scenario AnalysisScenario Analysis Issue TrackingIssue Tracking Opportunities for Convergence Between BCM and ORM Programs
12 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Q&A
13 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Peter Poulos Executive Director Morgan Stanley 1633 Broadway, 25th Floor New York, NY 10019 Email: peter.poulos@morganstanley.com Office: 212-537-1769 Mobile: 917-683-8710 or 917-882-2722 Contact Information For more information on this topic, please read Chapter 10 in the following Risk Books publication:

Recommended

Business Continuation The Basics
Business Continuation The BasicsBusiness Continuation The Basics
Business Continuation The Basics
guest13df88e8
 
Business Continuity Management(BCM) a New Paradigm for Nigerian Business
Business Continuity Management(BCM) a New Paradigm for Nigerian BusinessBusiness Continuity Management(BCM) a New Paradigm for Nigerian Business
Business Continuity Management(BCM) a New Paradigm for Nigerian Business
Oluwafemi Adelakun
 
Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity Management
Prof. David E. Alexander (UCL)
 
Introduccion A Rcm
Introduccion A RcmIntroduccion A Rcm
Introduccion A Rcm
guest92a5f155
 
Executive Primer on Business Continuity Planning
Executive Primer on Business Continuity PlanningExecutive Primer on Business Continuity Planning
Executive Primer on Business Continuity Planning
RickMark
 
Bcp
BcpBcp
Bcp
madunix
 
Fm computer roomcleaningguide
Fm computer roomcleaningguideFm computer roomcleaningguide
Fm computer roomcleaningguide
server computer room cleaning
 
2005_SIA_BCP_Conf
2005_SIA_BCP_Conf2005_SIA_BCP_Conf
2005_SIA_BCP_Conf
Peter Poulos
 

Recommended

Business Continuation The Basics
Business Continuation The BasicsBusiness Continuation The Basics
Business Continuation The Basics
guest13df88e8
 
Business Continuity Management(BCM) a New Paradigm for Nigerian Business
Business Continuity Management(BCM) a New Paradigm for Nigerian BusinessBusiness Continuity Management(BCM) a New Paradigm for Nigerian Business
Business Continuity Management(BCM) a New Paradigm for Nigerian Business
Oluwafemi Adelakun
 
Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity Management
Prof. David E. Alexander (UCL)
 
Introduccion A Rcm
Introduccion A RcmIntroduccion A Rcm
Introduccion A Rcm
guest92a5f155
 
Executive Primer on Business Continuity Planning
Executive Primer on Business Continuity PlanningExecutive Primer on Business Continuity Planning
Executive Primer on Business Continuity Planning
RickMark
 
Bcp
BcpBcp
Bcp
madunix
 
Fm computer roomcleaningguide
Fm computer roomcleaningguideFm computer roomcleaningguide
Fm computer roomcleaningguide
server computer room cleaning
 
2005_SIA_BCP_Conf
2005_SIA_BCP_Conf2005_SIA_BCP_Conf
2005_SIA_BCP_Conf
Peter Poulos
 
Example business continuity plan
Example business continuity planExample business continuity plan
Example business continuity plan
Micheal Axelsen
 
Stream 2 - Don't Risk IT
Stream 2 - Don't Risk ITStream 2 - Don't Risk IT
Stream 2 - Don't Risk IT
IBM Business Insight
 
Business continuity and disaster recovery
Business continuity and disaster recoveryBusiness continuity and disaster recovery
Business continuity and disaster recovery
Adeel Javaid
 
Apdip disaster mgmt
Apdip disaster mgmtApdip disaster mgmt
Apdip disaster mgmt
srinivasan gopalan
 
Contingency Planning And Disaster Recovery Planning
Contingency Planning And Disaster Recovery PlanningContingency Planning And Disaster Recovery Planning
Contingency Planning And Disaster Recovery Planning
mmohamme1124
 
Effective Communications in Business Continuity Planning
Effective Communications in Business Continuity PlanningEffective Communications in Business Continuity Planning
Effective Communications in Business Continuity Planning
Cloudnition Web Development & Online Marketing
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usen
rjstevens
 
Business Continuity Emerging Trends - DRIE Atlantic - Summary
Business Continuity Emerging Trends - DRIE Atlantic - SummaryBusiness Continuity Emerging Trends - DRIE Atlantic - Summary
Business Continuity Emerging Trends - DRIE Atlantic - Summary
Marie Lavoie Dufort
 
Business Continuity Getting Started
Business Continuity Getting StartedBusiness Continuity Getting Started
Business Continuity Getting Started
mxp5714
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated Discipline
Graeme Parker
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)
Goutama Bachtiar
 
Best Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and TestingBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing
Axcient
 
BCM Roadmap
BCM RoadmapBCM Roadmap
BCM Roadmap
btrmuray
 
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
EMC
 
Pcms vs paper
Pcms vs paperPcms vs paper
Pcms vs paper
Risman BizNet
 
Avoiding Data Center Disasters
Avoiding Data Center DisastersAvoiding Data Center Disasters
Avoiding Data Center Disasters
Jesse Andrew
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
Managed Networks
 
Change Management Process sample
Change Management Process sampleChange Management Process sample
Change Management Process sample
Business Industrial Network
 
Disaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an EmergencyDisaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an Emergency
sco813f8ko
 
9 Bcp+Drp
9 Bcp+Drp9 Bcp+Drp
9 Bcp+Drp
Alfred Ouyang
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
Bill Lisse
 
The Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster RecoveryThe Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster Recovery
cadavis22
 

More Related Content

What's hot

Business continuity and disaster recovery
Business continuity and disaster recoveryBusiness continuity and disaster recovery
Business continuity and disaster recovery
Adeel Javaid
 
Contingency Planning And Disaster Recovery Planning
Contingency Planning And Disaster Recovery PlanningContingency Planning And Disaster Recovery Planning
Contingency Planning And Disaster Recovery Planning
mmohamme1124
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usen
rjstevens
 
Business Continuity Getting Started
Business Continuity Getting StartedBusiness Continuity Getting Started
Business Continuity Getting Started
mxp5714
 
Best Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and TestingBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing
Axcient
 
BCM Roadmap
BCM RoadmapBCM Roadmap
BCM Roadmap
btrmuray
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
Managed Networks
 

What's hot (20)

Example business continuity plan
Example business continuity planExample business continuity plan
Example business continuity plan
 
Stream 2 - Don't Risk IT
Stream 2 - Don't Risk ITStream 2 - Don't Risk IT
Stream 2 - Don't Risk IT
 
Business continuity and disaster recovery
Business continuity and disaster recoveryBusiness continuity and disaster recovery
Business continuity and disaster recovery
 
Apdip disaster mgmt
Apdip disaster mgmtApdip disaster mgmt
Apdip disaster mgmt
 
Contingency Planning And Disaster Recovery Planning
Contingency Planning And Disaster Recovery PlanningContingency Planning And Disaster Recovery Planning
Contingency Planning And Disaster Recovery Planning
 
Effective Communications in Business Continuity Planning
Effective Communications in Business Continuity PlanningEffective Communications in Business Continuity Planning
Effective Communications in Business Continuity Planning
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usen
 
Business Continuity Emerging Trends - DRIE Atlantic - Summary
Business Continuity Emerging Trends - DRIE Atlantic - SummaryBusiness Continuity Emerging Trends - DRIE Atlantic - Summary
Business Continuity Emerging Trends - DRIE Atlantic - Summary
 
Business Continuity Getting Started
Business Continuity Getting StartedBusiness Continuity Getting Started
Business Continuity Getting Started
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated Discipline
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)
 
Best Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and TestingBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing
 
BCM Roadmap
BCM RoadmapBCM Roadmap
BCM Roadmap
 
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
 
Pcms vs paper
Pcms vs paperPcms vs paper
Pcms vs paper
 
Avoiding Data Center Disasters
Avoiding Data Center DisastersAvoiding Data Center Disasters
Avoiding Data Center Disasters
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Change Management Process sample
Change Management Process sampleChange Management Process sample
Change Management Process sample
 
Disaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an EmergencyDisaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an Emergency
 
9 Bcp+Drp
9 Bcp+Drp9 Bcp+Drp
9 Bcp+Drp
 

Similar to 2009_NYC_OpRiskUSA_Conf

2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)
John Mymryk
 
Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205
Magdalena Anna Fas
 
Business continuity in small business 1
Business continuity in small business 1Business continuity in small business 1
Business continuity in small business 1
John Johari
 
Contingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMContingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATM
Wajahat Ali Khan
 

Similar to 2009_NYC_OpRiskUSA_Conf (20)

Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
 
The Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster RecoveryThe Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster Recovery
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)
 
BCI Counting The Cost
BCI Counting The CostBCI Counting The Cost
BCI Counting The Cost
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
The Cost of Downtime
The Cost of DowntimeThe Cost of Downtime
The Cost of Downtime
 
The Cost of Downtime
The Cost of DowntimeThe Cost of Downtime
The Cost of Downtime
 
Disaster Recovery vs. Business Continuity
Disaster Recovery vs. Business ContinuityDisaster Recovery vs. Business Continuity
Disaster Recovery vs. Business Continuity
 
Disaster recovery white_paper
Disaster recovery white_paperDisaster recovery white_paper
Disaster recovery white_paper
 
Top 5 Steps to Disaster Preparedness for Businesses
Top 5 Steps to Disaster Preparedness for BusinessesTop 5 Steps to Disaster Preparedness for Businesses
Top 5 Steps to Disaster Preparedness for Businesses
 
Business continuity
Business continuityBusiness continuity
Business continuity
 
Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
 
Business continuity in small business 1
Business continuity in small business 1Business continuity in small business 1
Business continuity in small business 1
 
IT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business ContinuityIT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business Continuity
 
BCP Awareness
BCP Awareness BCP Awareness
BCP Awareness
 
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
 
Contingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATMContingency Plan WAK BANKS ATM
Contingency Plan WAK BANKS ATM
 
Shared Service Centers: Risks & Rewards in the Time of Coronavirus
Shared Service Centers: Risks & Rewards in the Time of CoronavirusShared Service Centers: Risks & Rewards in the Time of Coronavirus
Shared Service Centers: Risks & Rewards in the Time of Coronavirus
 

2009_NYC_OpRiskUSA_Conf

  • 1. This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. TRANSLATING BUSINESS CONTINUITY / RESILIENCYTRANSLATING BUSINESS CONTINUITY / RESILIENCY INTO OPERATIONAL RISK SUCCESSINTO OPERATIONAL RISK SUCCESS Peter Poulos Executive Director Morgan Stanley peter.poulos@morganstanley.com
  • 2. 2 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Objectives of This Session • Overview of Business Continuity / Business Resiliency • Operational Risks Associated with Business Continuity / Resiliency • Determining Business Criticality in Terms of Business Resilience • Understanding Business Impact During Business Disruptive Scenarios • Business Resiliency Risk Remediation and Mitigation Strategies • Opportunities for Convergence Between BCM and ORM Programs • Q & A
  • 3. 3 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Overview of Business Continuity / Business Resiliency – What is Business Continuity Management? Business Continuity Management (BCM) is the unifying process for managing potential risks resulting from unforeseen events such as: • Disruptions to Critical Public Infrastructure (power, telecoms, transportation, etc.) • Internal or External System Failures • Natural Disasters • Severe Weather • Acts of Terrorism • Public Health Crises (e.g., epidemic) BCM typically strives to ensure the business can always operate to a minimum agreed level by helping reduce risk to an acceptable level and planning to restore business processes.
  • 4. 4 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Overview of Business Continuity / Business Resiliency – Evolution of BCM Thinking in the Financial Services IndustryBusinessContinuity “NearImmediateBusiness Resumption” Tokyo Metro Sarin Gas Attack Oklahoma City Bombing Key events revealed the need for a moreKey events revealed the need for a more proactive approachproactive approach -- focused on buildingfocused on building partial resistance and taking into considerationpartial resistance and taking into consideration human and environmental factors. As ahuman and environmental factors. As a result, Business Continuity evolved fromresult, Business Continuity evolved from Disaster Recovery.Disaster Recovery. Mid-to-Late 1980s Early-to-Mid 1990s Early 2000s DisasterRecovery “MissionCriticalDataRecovery” BusinessResiliency “TotalProcessResilience” Y2K Disaster Recovery (DR) thinkingDisaster Recovery (DR) thinking evolved as businesses recognized theevolved as businesses recognized the need to recover and restore data afterneed to recover and restore data after a crisis such as flood, fire ora crisis such as flood, fire or earthquake.earthquake. US Blackout Monetary Authority of Singapore BCP White Paper 9/11/01 1st WTC Bombing Bishopgates London Bombing Sustaining endSustaining end--toto--end business process availabilityend business process availability requires a menu of risk mitigating solutions takingrequires a menu of risk mitigating solutions taking into account business priorities, risk levels and cost.into account business priorities, risk levels and cost. EMU SEC BCP Policy for Trading Markets Mid-to-Late 2000s UK FSA Consultation Paper 142 FINRA (NASD Rules 3510/20) NYSE Rule 446 London Blackout UK 2nd FSA Market-wide Exercise US Fed Interagency Paper on Market Resilience Bank of Japan BCP White Paper UK 1st FSA Market-wide Exercise • 9/11 and subsequent global regulatory changes accelerated business continuity thinking towards “Total Process Resiliency” • Organizations have increased focus on risk mitigation and end-to- end Business Resilience rather than Traditional Disaster Recovery • Clients and Counterparties increasingly focus on the business / operational resiliency of financial services firms • Individual Lines of Business within financial services firms have increased their ownership and accountability for BCP to address the evolving regulatory environment and market expectations Hurricane Katrina Global threat of a Pandemic Outbreak (e.g., Avian Flu) Mumbai Bombings Hurricane Ike (US) 7/7/05 London Bombings Increased regulatory rules require firmsIncreased regulatory rules require firms to create, maintain and file Businessto create, maintain and file Business Continuity Plans to use in event ofContinuity Plans to use in event of significant business disruptions.significant business disruptions.
  • 5. 5 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. STEP 2: Analysis & Strategy Development Activities: Perform End-to-End Process / Product Flow Analysis Identify Gaps and Risks Develop Business Recovery Strategies STEP 4: Maintenance Activities: Ongoing Testing of BCP Management Reporting Conduct Periodic Training to Increase Awareness Periodically Assess Program STEP 1: Data Gathering and Business Prioritization Activities: Gather Data from Business Conversations Conduct a Business Impact Analysis Determine Business Criticality of Processes and Product Lines STEP 3: Determine Risk Mitigating Solutions Activities: Develop End-to-End BC Plans Develop Remediation Plan Remediate Technology Risks Remediate Facility Risks Remediate People & Process Risks ProcessProcess TechnologyTechnology PeoplePeople Gather Analyze Determ ine M aintain Overview of Business Continuity / Business Resiliency – Example of a Business Continuity Management Lifecycle
  • 6. 6 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Operational Risks Associated with Business Continuity / Resiliency (Illustrative) Terrorist Attack, Civil Unrest, Riot, Protest, Labor Strike, etc.Human Event Critical Vendor information is delayed or corrupted Critical Third-Party Services are disrupted due to an outage they experience Vendor or Third-Party Provider Risk Regional Blackout, Steam Pipe Explosion, Water Main Break, Telecom Utility Outage, Public Transportation Service Disruption, etc. Utility OutageExternal Events Close Proximity to an Airport, Railroad, Subway or Chemical Storage Facility Physical Proximity Risk Severe Weather: Blizzard, Hurricane, Typhoon Natural Disaster: Earthquake, Tsunami Infection Disease Outbreak: SARS, Pandemic Flu Natural Event Denial of Service or Computer Virus / Worm OutbreakCyber Attack Data Center or Telecommunications FailureMajor / Severe Technology Outage Systems ExamplesBusiness Continuity / Resiliency Risks Operational Risk Sources
  • 7. 7 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Determining Business Criticality in Terms of Business Resilience – Business Criticality Framework Franchise Critical (Recover within 0-4 hours) Mission Critical by Business (Recover within a Business Day or 4 – 24 hours) Critical by Business (Recover by the Next Business Day or 24 hours) Important by Business (Recover after 2 Business Days or > 48 hours) Not All Business ProcessesNot All Business Processes And Product Lines Are EqualAnd Product Lines Are Equal:: Each Firm Needs to PrioritizeEach Firm Needs to Prioritize Mandated “Top Down” by Executive Management Defined by Line of Business
  • 8. 8 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Determining Business Criticality in Terms of Business Resilience – Suggested Quantitative and Qualitative Business Impact Analysis Factors QUANTITATIVE FACTORS TO DETERMINE BUSINESS CRITICALITY BY PRODUCT LINE: • Average Daily Revenues • Average Daily Volumes • Market Value / VaR • Market Share QUALITATIVE FACTORS TO DETERMINE BUSINESS CRTICALITY BY BUSINESS PROCESS: • Liquidity of the Firm (Y/N) • Client Obligations (Y/N) • Market Obligations (Y/N) • Legal / Regulatory Impact (Y/N) • Other Franchise / Reputation Impact (Y/N)
  • 9. 9 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Understanding Business Impact During Business Disruptive Scenarios RelativeFrequencyofOccurrence Relative Severity of Business Impact Low Medium High Denial of Access Denial of Access Loss of External Service Provider Minor Business Disruptions (N/A for BCP) Total or Catastrophic Loss (Major Hub Office or Campus) Infectious Disease Outbreak Total or Catastrophic Loss (Branch Office) Infectious Disease Outbreak Total or Catastrophic Loss (Satellite / Virtual Office) Loss of External Service Provider Major IT OutageMajor IT Outage Minor Business Disruptions (N/A for BCP) LowMediumHigh Failure of internal systems such as applications, databases and servers due to power failure, flooding, HVAC, fire system failure, etc. Failure of internal or external telecom interfaces to other instiutions, exchanges, clients, etc. Denial of IT service or data corruption due to a cyber (virus) attack Loss of physical access to a MS office building(s) [NOTE: IT SERVICES ARE NOTE IMPACTED] Denial of staff access to office premises due to a physical threat (i.e., bomb, biological or chemical) or physical disruption in close proximity to office premises (e.g., water main break, riot or protest) Significant number of MS personnel are unable to travel to their primary place of work Denial of staff access to office premises due to inclement weather, transportation disruptions, etc. Loss of External Service Providers Loss of services provided by a third-party or vendor Failure of a critical third-party or vendor such as HR benefits and payroll administration, corporate services providers, etc. Infectious Disease Outbreak Significant number of MS personnel are lost or unable to work (high rate of staff absenteeism) Significant loss or unavailability of staff due to a health related emergency such as an epidemic or pandemic Total or Catastrophic Loss Catastrophic loss of one or more MS offices and/or data center facilities due to fire, flood, terrorist attack, natural disaster, etc. This may include wide-scale loss or unavailability of MS staff. Impact may be local (e.g., one building or cluster of buildiings) or regional (city-wide, country-wide, etc.) Events of September 11, 2001 in the U.S. Denial of Access Business Impact Risk Scenarios Definition Examples of Causes Major Technology Outage Significant disruption to one or more data centers hosting MS systems The following tables illustrate Business Impact Risk Scenarios aThe following tables illustrate Business Impact Risk Scenarios and Probability Assumptions.nd Probability Assumptions.
  • 10. 10 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Sustaining endSustaining end--toto--end business process resiliency requires a menu of risk mitigatiend business process resiliency requires a menu of risk mitigating strategies thatng strategies that address business priorities, business impact, risk levels and coaddress business priorities, business impact, risk levels and cost.st. TraditionalRecovery Strategies - Manual workarounds or procedures that are non-system based - Modification to normal business processes or use of alternative system or data - Split or share BAU processes by moving people and processes across geographically dispersed sites to provide overall operational resilience - Displace less critical staff (who may be able to recover remotely or defer their workload) in BAU workspace with more business critical staff - Continue working virtually from a remote location (e.g., home or hotel) using personal or firm PCs - A firm’s internal redundant facility configured only for recovery of its most critical businesses at reduced operating levels - Seats may be dedicated to one business or shared across businesses Alternative Business Processes Split or Shared Operations Office Premises Recovery – Displacement Seating Remote Working Offices Premises Recovery – Internal Contingency Seating Transference - Depending on time zone, utilize other offices of the firm to back-up the same or similar processes (where possible by compliance regulations, staff knowledge) Offices Premises Recovery – External Contingency Seating - An external third-party owned and managed facility configured only for recovery of a firm’s most critical businesses at reduced operating levels - Seats may be guaranteed to a firm (for a premium charge) or not guaranteed (with a risk to lose them to a competitor) - A firm’s internal BAU space such as a training room, cafeteria or auditorium is converted for multi-purposes including use as a recovery site Offices Premises Recovery – On Demand Seating Relative Recurring Cost Levels for BC/DR Use Only DefinitionsBCM Strategy Options AlternativeRecoveryStrategies Lowest Highest TraditionalRecovery Strategies - Manual workarounds or procedures that are non-system based - Modification to normal business processes or use of alternative system or data - Split or share BAU processes by moving people and processes across geographically dispersed sites to provide overall operational resilience - Displace less critical staff (who may be able to recover remotely or defer their workload) in BAU workspace with more business critical staff - Continue working virtually from a remote location (e.g., home or hotel) using personal or firm PCs - A firm’s internal redundant facility configured only for recovery of its most critical businesses at reduced operating levels - Seats may be dedicated to one business or shared across businesses Alternative Business Processes Split or Shared Operations Office Premises Recovery – Displacement Seating Remote Working Offices Premises Recovery – Internal Contingency Seating Transference - Depending on time zone, utilize other offices of the firm to back-up the same or similar processes (where possible by compliance regulations, staff knowledge) Offices Premises Recovery – External Contingency Seating - An external third-party owned and managed facility configured only for recovery of a firm’s most critical businesses at reduced operating levels - Seats may be guaranteed to a firm (for a premium charge) or not guaranteed (with a risk to lose them to a competitor) - A firm’s internal BAU space such as a training room, cafeteria or auditorium is converted for multi-purposes including use as a recovery site Offices Premises Recovery – On Demand Seating Relative Recurring Cost Levels for BC/DR Use Only DefinitionsBCM Strategy Options AlternativeRecoveryStrategies Lowest Highest Business Continuity / Resiliency Risk Mitigation Strategies
  • 11. 11 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Business ContinuityBusiness Continuity ManagementManagement Use of common taxonomyUse of common taxonomy for defining risks, businessfor defining risks, business processes, products andprocesses, products and organizationsorganizations Use of common riskUse of common risk scenarios for businessscenarios for business disruptive eventsdisruptive events Information sharing of:Information sharing of: -- Business disruptionBusiness disruption incident loss dataincident loss data -- Output from assessmentOutput from assessment & analysis efforts& analysis efforts completed in parallelcompleted in parallel Operational RiskOperational Risk ManagementManagement Business Resiliency Risk AssessmentBusiness Resiliency Risk Assessment Business Impact Scenario AnalysisBusiness Impact Scenario Analysis Business Continuity Risk MitigationBusiness Continuity Risk Mitigation Strategy DevelopmentStrategy Development Business Continuity Plan DevelopmentBusiness Continuity Plan Development Business Continuity Plan AwarenessBusiness Continuity Plan Awareness Training & TestingTraining & Testing Issue TrackingIssue Tracking Crisis Management & Incident TrackingCrisis Management & Incident Tracking Operational Risk Incident & LossOperational Risk Incident & Loss Data Collection & AnalysisData Collection & Analysis Risk and Control Self AssessmentsRisk and Control Self Assessments Scenario AnalysisScenario Analysis Issue TrackingIssue Tracking Opportunities for Convergence Between BCM and ORM Programs
  • 12. 12 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Q&A
  • 13. 13 This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media. Peter Poulos Executive Director Morgan Stanley 1633 Broadway, 25th Floor New York, NY 10019 Email: peter.poulos@morganstanley.com Office: 212-537-1769 Mobile: 917-683-8710 or 917-882-2722 Contact Information For more information on this topic, please read Chapter 10 in the following Risk Books publication: