Shared Service Centers: Risks & Rewards in the Time of Coronavirus
2009_NYC_OpRiskUSA_Conf
1. This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
TRANSLATING BUSINESS CONTINUITY / RESILIENCYTRANSLATING BUSINESS CONTINUITY / RESILIENCY
INTO OPERATIONAL RISK SUCCESSINTO OPERATIONAL RISK SUCCESS
Peter Poulos
Executive Director
Morgan Stanley
peter.poulos@morganstanley.com
2. 2
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Objectives of This Session
• Overview of Business Continuity / Business Resiliency
• Operational Risks Associated with Business Continuity / Resiliency
• Determining Business Criticality in Terms of Business Resilience
• Understanding Business Impact During Business Disruptive Scenarios
• Business Resiliency Risk Remediation and Mitigation Strategies
• Opportunities for Convergence Between BCM and ORM Programs
• Q & A
3. 3
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Overview of Business Continuity / Business Resiliency –
What is Business Continuity Management?
Business Continuity Management (BCM) is the unifying process for managing potential risks
resulting from unforeseen events such as:
• Disruptions to Critical Public Infrastructure (power, telecoms, transportation, etc.)
• Internal or External System Failures
• Natural Disasters
• Severe Weather
• Acts of Terrorism
• Public Health Crises (e.g., epidemic)
BCM typically strives to ensure the business
can always operate to a minimum agreed
level by helping reduce risk to an acceptable
level and planning to restore business
processes.
4. 4
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Overview of Business Continuity / Business Resiliency –
Evolution of BCM Thinking in the Financial Services IndustryBusinessContinuity
“NearImmediateBusiness
Resumption”
Tokyo Metro Sarin Gas Attack
Oklahoma City Bombing
Key events revealed the need for a moreKey events revealed the need for a more
proactive approachproactive approach -- focused on buildingfocused on building
partial resistance and taking into considerationpartial resistance and taking into consideration
human and environmental factors. As ahuman and environmental factors. As a
result, Business Continuity evolved fromresult, Business Continuity evolved from
Disaster Recovery.Disaster Recovery.
Mid-to-Late 1980s Early-to-Mid 1990s Early 2000s
DisasterRecovery
“MissionCriticalDataRecovery”
BusinessResiliency
“TotalProcessResilience”
Y2K
Disaster Recovery (DR) thinkingDisaster Recovery (DR) thinking
evolved as businesses recognized theevolved as businesses recognized the
need to recover and restore data afterneed to recover and restore data after
a crisis such as flood, fire ora crisis such as flood, fire or
earthquake.earthquake.
US Blackout
Monetary Authority
of Singapore BCP
White Paper
9/11/01
1st WTC Bombing
Bishopgates London Bombing
Sustaining endSustaining end--toto--end business process availabilityend business process availability
requires a menu of risk mitigating solutions takingrequires a menu of risk mitigating solutions taking
into account business priorities, risk levels and cost.into account business priorities, risk levels and cost.
EMU
SEC BCP Policy for
Trading Markets
Mid-to-Late 2000s
UK FSA
Consultation
Paper 142
FINRA (NASD Rules 3510/20)
NYSE Rule 446
London Blackout
UK 2nd FSA
Market-wide Exercise
US Fed
Interagency Paper on
Market Resilience
Bank of Japan BCP White Paper
UK 1st FSA
Market-wide Exercise
• 9/11 and subsequent global regulatory changes accelerated
business continuity thinking towards “Total Process Resiliency”
• Organizations have increased focus on risk mitigation and end-to-
end Business Resilience rather than Traditional Disaster Recovery
• Clients and Counterparties increasingly focus on the business /
operational resiliency of financial services firms
• Individual Lines of Business within financial services firms have
increased their ownership and accountability for BCP to address
the evolving regulatory environment and market expectations
Hurricane Katrina
Global threat of a Pandemic
Outbreak (e.g., Avian Flu)
Mumbai Bombings
Hurricane Ike (US)
7/7/05 London Bombings
Increased regulatory rules require firmsIncreased regulatory rules require firms
to create, maintain and file Businessto create, maintain and file Business
Continuity Plans to use in event ofContinuity Plans to use in event of
significant business disruptions.significant business disruptions.
5. 5
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
STEP 2: Analysis &
Strategy Development
Activities:
Perform End-to-End Process /
Product Flow Analysis
Identify Gaps and Risks
Develop Business Recovery
Strategies
STEP 4: Maintenance
Activities:
Ongoing Testing of BCP
Management Reporting
Conduct Periodic Training to
Increase Awareness
Periodically Assess Program
STEP 1: Data Gathering and Business Prioritization
Activities:
Gather Data from Business Conversations
Conduct a Business Impact Analysis
Determine Business Criticality of Processes and Product Lines
STEP 3: Determine Risk
Mitigating Solutions
Activities:
Develop End-to-End BC Plans
Develop Remediation Plan
Remediate Technology Risks
Remediate Facility Risks
Remediate People & Process Risks
ProcessProcess TechnologyTechnology
PeoplePeople
Gather
Analyze
Determ
ine
M
aintain
Overview of Business Continuity / Business Resiliency –
Example of a Business Continuity Management Lifecycle
6. 6
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Operational Risks Associated with Business Continuity /
Resiliency (Illustrative)
Terrorist Attack, Civil Unrest, Riot, Protest, Labor Strike, etc.Human Event
Critical Vendor information is delayed or corrupted
Critical Third-Party Services are disrupted due to an outage they
experience
Vendor or Third-Party
Provider Risk
Regional Blackout, Steam Pipe Explosion, Water Main Break, Telecom
Utility Outage, Public Transportation Service Disruption, etc.
Utility OutageExternal Events
Close Proximity to an Airport, Railroad, Subway or Chemical Storage
Facility
Physical Proximity Risk
Severe Weather: Blizzard, Hurricane, Typhoon
Natural Disaster: Earthquake, Tsunami
Infection Disease Outbreak: SARS, Pandemic Flu
Natural Event
Denial of Service or Computer Virus / Worm OutbreakCyber Attack
Data Center or Telecommunications FailureMajor / Severe Technology
Outage
Systems
ExamplesBusiness Continuity /
Resiliency Risks
Operational
Risk Sources
7. 7
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Determining Business Criticality in Terms of Business Resilience –
Business Criticality Framework
Franchise
Critical
(Recover within 0-4 hours)
Mission Critical by Business
(Recover within a Business Day or 4 – 24 hours)
Critical by Business
(Recover by the Next Business Day or 24 hours)
Important by Business
(Recover after 2 Business Days or > 48 hours)
Not All Business ProcessesNot All Business Processes
And Product Lines Are EqualAnd Product Lines Are Equal::
Each Firm Needs to PrioritizeEach Firm Needs to Prioritize
Mandated “Top Down” by
Executive Management
Defined by
Line of Business
8. 8
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Determining Business Criticality in Terms of Business Resilience –
Suggested Quantitative and Qualitative Business Impact Analysis Factors
QUANTITATIVE FACTORS TO DETERMINE BUSINESS CRITICALITY BY
PRODUCT LINE:
• Average Daily Revenues
• Average Daily Volumes
• Market Value / VaR
• Market Share
QUALITATIVE FACTORS TO DETERMINE BUSINESS CRTICALITY BY
BUSINESS PROCESS:
• Liquidity of the Firm (Y/N)
• Client Obligations (Y/N)
• Market Obligations (Y/N)
• Legal / Regulatory Impact (Y/N)
• Other Franchise / Reputation Impact (Y/N)
9. 9
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Understanding Business Impact During Business Disruptive
Scenarios
RelativeFrequencyofOccurrence
Relative Severity of Business Impact
Low Medium High
Denial of Access
Denial of Access
Loss of External
Service Provider
Minor Business
Disruptions
(N/A for BCP)
Total or Catastrophic
Loss (Major Hub
Office or Campus)
Infectious Disease
Outbreak
Total or Catastrophic
Loss (Branch Office)
Infectious Disease
Outbreak
Total or Catastrophic
Loss (Satellite / Virtual
Office)
Loss of External
Service Provider
Major IT OutageMajor IT Outage
Minor Business
Disruptions
(N/A for BCP)
LowMediumHigh
Failure of internal systems such as
applications, databases and servers due
to power failure, flooding, HVAC, fire
system failure, etc.
Failure of internal or external telecom
interfaces to other instiutions, exchanges,
clients, etc.
Denial of IT service or data corruption
due to a cyber (virus) attack
Loss of physical access to a
MS office building(s) [NOTE:
IT SERVICES ARE NOTE
IMPACTED]
Denial of staff access to office premises
due to a physical threat (i.e., bomb,
biological or chemical) or physical
disruption in close proximity to office
premises (e.g., water main break, riot or
protest)
Significant number of MS
personnel are unable to travel
to their primary place of work
Denial of staff access to office premises
due to inclement weather, transportation
disruptions, etc.
Loss of External
Service Providers
Loss of services provided by a
third-party or vendor
Failure of a critical third-party or vendor
such as HR benefits and payroll
administration, corporate services
providers, etc.
Infectious Disease
Outbreak
Significant number of MS
personnel are lost or unable to
work (high rate of staff
absenteeism)
Significant loss or unavailability of staff
due to a health related emergency such
as an epidemic or pandemic
Total or Catastrophic
Loss
Catastrophic loss of one or
more MS offices and/or data
center facilities due to fire,
flood, terrorist attack, natural
disaster, etc. This may include
wide-scale loss or unavailability
of MS staff. Impact may be
local (e.g., one building or
cluster of buildiings) or regional
(city-wide, country-wide, etc.)
Events of September 11, 2001 in the U.S.
Denial of Access
Business Impact
Risk Scenarios
Definition Examples of Causes
Major Technology
Outage
Significant disruption to one or
more data centers hosting MS
systems
The following tables illustrate Business Impact Risk Scenarios aThe following tables illustrate Business Impact Risk Scenarios and Probability Assumptions.nd Probability Assumptions.
10. 10
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Sustaining endSustaining end--toto--end business process resiliency requires a menu of risk mitigatiend business process resiliency requires a menu of risk mitigating strategies thatng strategies that
address business priorities, business impact, risk levels and coaddress business priorities, business impact, risk levels and cost.st.
TraditionalRecovery
Strategies
- Manual workarounds or procedures that are non-system based
- Modification to normal business processes or use of alternative
system or data
- Split or share BAU processes by moving people and processes
across geographically dispersed sites to provide overall operational
resilience
- Displace less critical staff (who may be able to recover remotely or
defer their workload) in BAU workspace with more business critical
staff
- Continue working virtually from a remote location (e.g., home or
hotel) using personal or firm PCs
- A firm’s internal redundant facility configured only for recovery of its
most critical businesses at reduced operating levels
- Seats may be dedicated to one business or shared across
businesses
Alternative Business
Processes
Split or Shared
Operations
Office Premises
Recovery –
Displacement Seating
Remote Working
Offices Premises
Recovery – Internal
Contingency Seating
Transference
- Depending on time zone, utilize other offices of the firm to back-up
the same or similar processes (where possible by compliance
regulations, staff knowledge)
Offices Premises
Recovery – External
Contingency Seating
- An external third-party owned and managed facility configured only
for recovery of a firm’s most critical businesses at reduced
operating levels
- Seats may be guaranteed to a firm (for a premium charge) or not
guaranteed (with a risk to lose them to a competitor)
- A firm’s internal BAU space such as a training room, cafeteria or
auditorium is converted for multi-purposes including use as a
recovery site
Offices Premises
Recovery – On
Demand Seating
Relative Recurring Cost
Levels for BC/DR Use Only
DefinitionsBCM Strategy Options
AlternativeRecoveryStrategies Lowest
Highest
TraditionalRecovery
Strategies
- Manual workarounds or procedures that are non-system based
- Modification to normal business processes or use of alternative
system or data
- Split or share BAU processes by moving people and processes
across geographically dispersed sites to provide overall operational
resilience
- Displace less critical staff (who may be able to recover remotely or
defer their workload) in BAU workspace with more business critical
staff
- Continue working virtually from a remote location (e.g., home or
hotel) using personal or firm PCs
- A firm’s internal redundant facility configured only for recovery of its
most critical businesses at reduced operating levels
- Seats may be dedicated to one business or shared across
businesses
Alternative Business
Processes
Split or Shared
Operations
Office Premises
Recovery –
Displacement Seating
Remote Working
Offices Premises
Recovery – Internal
Contingency Seating
Transference
- Depending on time zone, utilize other offices of the firm to back-up
the same or similar processes (where possible by compliance
regulations, staff knowledge)
Offices Premises
Recovery – External
Contingency Seating
- An external third-party owned and managed facility configured only
for recovery of a firm’s most critical businesses at reduced
operating levels
- Seats may be guaranteed to a firm (for a premium charge) or not
guaranteed (with a risk to lose them to a competitor)
- A firm’s internal BAU space such as a training room, cafeteria or
auditorium is converted for multi-purposes including use as a
recovery site
Offices Premises
Recovery – On
Demand Seating
Relative Recurring Cost
Levels for BC/DR Use Only
DefinitionsBCM Strategy Options
AlternativeRecoveryStrategies Lowest
Highest
Business Continuity / Resiliency Risk Mitigation Strategies
11. 11
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Business ContinuityBusiness Continuity
ManagementManagement
Use of common taxonomyUse of common taxonomy
for defining risks, businessfor defining risks, business
processes, products andprocesses, products and
organizationsorganizations
Use of common riskUse of common risk
scenarios for businessscenarios for business
disruptive eventsdisruptive events
Information sharing of:Information sharing of:
-- Business disruptionBusiness disruption
incident loss dataincident loss data
-- Output from assessmentOutput from assessment
& analysis efforts& analysis efforts
completed in parallelcompleted in parallel
Operational RiskOperational Risk
ManagementManagement
Business Resiliency Risk AssessmentBusiness Resiliency Risk Assessment
Business Impact Scenario AnalysisBusiness Impact Scenario Analysis
Business Continuity Risk MitigationBusiness Continuity Risk Mitigation
Strategy DevelopmentStrategy Development
Business Continuity Plan DevelopmentBusiness Continuity Plan Development
Business Continuity Plan AwarenessBusiness Continuity Plan Awareness
Training & TestingTraining & Testing
Issue TrackingIssue Tracking
Crisis Management & Incident TrackingCrisis Management & Incident Tracking
Operational Risk Incident & LossOperational Risk Incident & Loss
Data Collection & AnalysisData Collection & Analysis
Risk and Control Self AssessmentsRisk and Control Self Assessments
Scenario AnalysisScenario Analysis
Issue TrackingIssue Tracking
Opportunities for Convergence Between BCM and ORM
Programs
12. 12
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Q&A
13. 13
This material may not be copied or distributed in print or electronic forms without written permission of Incisive Media.
Peter Poulos
Executive Director
Morgan Stanley
1633 Broadway, 25th Floor
New York, NY 10019
Email: peter.poulos@morganstanley.com
Office: 212-537-1769
Mobile: 917-683-8710 or 917-882-2722
Contact Information
For more information on this topic, please read
Chapter 10 in the following Risk Books publication: