Analyzing Your Organization’s Risk...
In order to develop a Business Continuity Plan a thorough understanding of your organizational needs and critical
processes is required - This process is known as a Business Impact Analysis:
This involves:-
Knowing your critical activities, the effect of those activities being disrupted and the priority for recovery
of those activities; and
Knowing what events could disrupt your critical activities and lead to a failure of your organisation.
2. Contents
• Why we need Business Continuity Management
• Business Resilience Strategy development
► Classical BCM strategy
► Other strategic dimensions
► Bottom line
► Data-centric
2
In Confidence
3. Impact of Buncefield Fire UK -11th Dec 2005
•The incident cost firms more than
£70m, according to a study by the
East of England Development
Agency.
•Some 92 firms on the Maylands
business park, employing about
9,500 people, were directly
affected by the explosion.
•Some 3,300 claims, worth a
potential £700m, have been filed
by individuals, loss assessors and
companies.
It’s not just you that suffers
– or claims
3
In Confidence
4. Cause of Buncefield Fire
•Investigators said a
faulty gauge and safety
devices led to the
overfilling of fuel storage
tank 912 leading to an
escape of unleaded
petrol and the formation
of a cloud of flammable
vapour that ignited.
Cost of prevention less than £1000 vs Cost of disaster more than 700000X
Bad stuff happens and you can’t always predict it
4
In Confidence
5. Global change
• In the United States BCM was considered important to ensure
compliance with regulatory requirements.
• The emphasis shifted since September 11, 2001 and it has become
critical to protect their customers and corporate value.
• In the UK, the events of July 7 resulted in various authorities
implement Business Continuity & Recovery Planning.
• Europe is implementing BCM legislation
• Insurance loss adjustors now insist on BC planning and
performance
This affects you if you want to trade with the US &
Europe
5
In Confidence
6. You are vulnerable
• Over 50% of businesses fail because of impacts outside their direct
control
• Where are you in the vulnerability chain?
► Supplier
► Consumer
► Broker
► Producer
► Protector
• All of the above?
Business relationships are too complex to rely on everyone else
supporting you
6
In Confidence
7. Cost of Down Time
Damaged Revenue Financial Productivity Other Expenses
Reputation Performance
Customers Direct Loss Cash Flow Impacted Employees Equipment and IT rental
Suppliers Compensations Revenue Lost Hours Temporary staff
Visibility
Financial markets Lost future Lost Discounts Loss of motivation & Overtime costs
revenue control
Banks Billing losses Credit Rating Schedules disruption Extra delivery & travel costs
Stakeholders Investment Stock price Loss of records Legal & regulatory imposed
Losses costs
7
In Confidence
8. Why do you need a Business Continuity Plan?
• Some Facts:
► 80% of businesses affected by a major incident close within 18
months.
► 90% of businesses that lose vital data from a disaster are forced
to shut within 2 years.
► 58% of UK organisations were disrupted by the September 11th
disaster. One in eight was seriously affected.
• Day-to-day disruptions can threaten the business not just major
emergencies.
8
In Confidence
9. Business Continuity Management (BCM)
• BCM is defined by BCI (Business Continuity
Institute) as:
• ‘an holistic management process that identifies potential impacts
that threaten an organisation and provides a framework for building
resilience and the capability for an effective response that
safeguards the interests of its key stakeholders, reputation, brand,
and value creating activities’.
9
In Confidence
10. Business Continuity Management (BCM)
• Three principal objectives:
1. To be prepared for a disaster
2. To systematically and continuously identify exposure to risk
3. To increase the readiness to recover from ANY disaster with
the minimal impact on your business.
10
In Confidence
11. Some terminology
• When does a crisis becomes a disaster?
How many
Disruptions
• Disaster = 1Crisis?
• Crisis
• Disruption
• Event Impact
The terms are less important than
the outcomes
Frequency
11
In Confidence
12. Classical Business Resilience Model
• The six discrete components :
► Strategy,
► Organisation,
► Processes,
► Data / applications,
► Technology,
► Facilities / security.
12
In Confidence
13. Business Resilience Management Process
Process
Analyse
Business
Test Analyse Risks
Plan
Develop Develop
Plan Strategy
13
In Confidence
14. Business Resilience Strategy
• Three stages –
► Business Recovery
• Ability to respond quickly and
effectively.
► Business Continuity Business Business
Recovery Continuity
• How quickly – and painlessly
– would you be able to get Business
back to ‘business as usual’. Resilience
► Business Resilience Strategy
• Implies built-in protection and
safeguards for your business
assets, resource and
business critical data. Business
Resilience
Where you start depends on the circumstances
14
In Confidence
15. Risk Assessment
• Ask scenario based questions e.g:
► What if the IT system fails causing 4 weeks data loss?
► What if sales information was not available for 6 weeks?
► What if there was a strike by the workers?
► What if your major supplier went bust?
► What if there was a flood causing damage to your building and
equipment?
► What if there was a fire?
► How to survive a terrorist bomb attack?
• The best practice is to identify every category of risk and quantify
their impact on the business as well as to the local community.
Retro-analysis is time consuming and complex but necessary
15
In Confidence
16. Mitigation actions to Consider
Five options -
• Do nothing; accept the
status quo
• Reduce the likelihood of
events causing risk
Cost
• Reduce the effect of risks to
a more manageable level
• Reduce risks to negligible
level
• Eliminate risk completely.
Effectiveness
BCM decision making is hard
16
In Confidence
17. Business Resilience Strategy
• Basic strategy framework:
► Ensure Business Continuity plans are in place
► Ensure communications can be maintained
► Staff are trained to react in an emergency
► Effective Communication Plan
► Ensure key data are accessible
► Organisation - control and leadership
The basic template is simple – the rest is not
17
In Confidence
18. BR Strategy Development
• Some options to consider:
• An impact analysis.
• Consult your insurer.
• Seek advice from your solicitors and accountants
• Revisit your SLAs and contractual obligations to your clients.
• Consider the use of external assistance - reciprocal arrangement for
the use of facilities with another company.
• Contract with a specialist supplier of Business Recovery service.
• A secondary site for immediate take over.
• An outsourced hot site ready for restoration of last day’s data.
• A cold site where equipment and communications can be installed
in the event of a disaster.
Strategy is very dependent on the organisational goals
18
In Confidence
19. Implementation – How?
• BCI handbook of best practise
• Following presentations
• Work it through in your organisation
• Copy others –(carefully)
•But how to mobilise your organisation and who pays?
•Without cultural buy in BCM will be ineffective
19
In Confidence
21. Risk appetite – who pays?
• How much buy in can you get?
• different people have different attitudes to risk (at different times!)
•Corporations have short
Sales memories
CFO •Without exec support you
Maintenance
cant do BCM
Risk CEO
appetite •If it is not part of the culture it
won’t be effective
Procurement
Operations
Operational Fiscal
focus focus
21
In Confidence
22. Getting he buy in - Bottom line impacts
Critical business dimensions
• Solvency - now!
• Liquidity - how long have you got?
• Brand protection - who’s hurt?.....will they keep buying?
• Supply lines (in & out) – how long can they keeping going?
• Restoration – BAU is it the best solution?
•Target elements of the analysis and strategy on the owners of the
critical dimensions
•Make it personal – gain support
•Look for quick wins
22
In Confidence
24. Resilient Telecommunications
• The UK emergencies highlighted communication systems problems -
► BT plc tunnel fire in Manchester (April 2004),
► Floods in Bocastle (August 2004) and Carlisle (January 2005), and
► The bombings in London (July 2005)
• Loss of communications has the most immediate impact on businesses
• Coupled with other impacts this can be catastrophic
• It is always high profile
• have back up communications for critical functions - probability you will
need it = 99%+
•This is a simple low cost & effective way to introduce the concept of BCM
to the organisation’s culture
24
In Confidence
25. People development
• Impact means crisis, and a crisis is no time to figure out what to do
• 80% of downtime typically through human error
• 70% of recovery time typically thinking time
• Properly trained people do the right thing before during and after an
impact
• A small well trained team can make the difference
• If everyone is trained they can act independently
•100 confused people = disaster
•100 people working together = business resilience
25
In Confidence
26. Data - the new currency
• Businesses no longer trade cash – it is data
• Data flows not only facilitate business they are business
• Business critical data are the second most valuable asset after people.
• The loss of data can cause serious implications even total failure of
business.
• Data loss can happen due to hardware, software errors and human
intervention, but most likely - ignorance
► The number of businesses relying on technology and internet is
increasing exponentially.
•How long can you survive data starvation?
•Do you know what your data is worth?
26
In Confidence
27. The new world
• Two things happening in the IT field:
►The number of potential risks is growing, and
► The impact of some risks is increasing rapidly
• Given these two challenges:
► Understanding the value of data is critical
► Data management is not an option
► Data back up is most likely critical
•You need to do this now but it costs money
•How do you maximise return on this investment?
27
In Confidence
28. Putting the data to work
• Data flows represent critical activities in the business:
► Invoicing, procurement, inventory, processing etc.
• Map the data flows to the critical business activities
• Prioritise the data flows and you have prioritised risk against bottom
line criteria
• Optimise the value of the data flows e.g.
• Synchronisation of billing and invoice payment
• Consolidation and reconciliation of data
• Develop new critical data flows
• Plan to protect the critical data flows and you have mitigated major
risks to the bottom line
But…………
• Optimisation of data flows is Process Re-engineering (BPR) BPR -
leads to process and business efficiencies & reduced costs
• Reduced costs & higher efficiencies hit the bottom line
28
In Confidence
29. Optimising data flows
• How much is manual?
• How much is redundant/duplicate?
• Where are the bottlenecks?
• Where is he waste?
• Efficient storage and retrieval needs integrated data
flows
• Integrated data flows can be automated
• Minimum points of failure
• Protection is more effective
BCM can create as well as protect bottom line value
29
In Confidence
30. Other areas of bottom line gains
• Reduced insurance premiums
• Favourable interest rates on cash drawdown
• Sales closure rates
• Reduced inventory
• Shared facilities
• Improved marketability
• Higher stock price
30
In Confidence
31. Bringing it to together
BCM imperatives Strategic approaches
• Identify & prioritise risks • Bottom line focus – (gets
attention)
• Generate strategy & plan
• Protect data & • Data-centric focus – (creates
value – embeds in culture)
communications
• Classical – (detailed theory for
• Train people for BCM analysis and implementation)
A good starting target is to make BCM pay for itself in bottom line gains
31
In Confidence
34. What we have covered
BCM Training
practical groundwork
and advice Data management
on getting started & protection
BCM planning
Risk analysis
Ways of looking
at BCM strategy
Span & reach Underpinning theory
of BCM & techniques
Why we need BCM
34
In Confidence
35. What you take away
• A comprehension of the importance of BCM
• An understanding of BCM in practice for SMEs
• Membership of the BCI
► Access to all BCI on line resources
► Access to BCI help desk and resources
We trust this has helped you on your BCM journey
35
In Confidence