Transcript Section divider slide with colour background and image or text

Business Continuity
Planning
Rising from the Ashes
- practical insights on
recovering from a Disaster
Agenda
1.
Disasters and news events
2. Tracker Case Study
3. Ceres earthquake
4. What is Business Continuity Planning
5. Why BCP (incorporating King III)
6. BCP and Risk Management Framework
7.
What Auditors look for
8. The Real Solution
9. Practical Considerations
PwC
2
A disaster could strike at any time
Is your organisation prepared?
PwC
3
Disasters
In the past few years some major South African
businesses were impacted by severe fire damage
to facilities.
• Tracker – Head Office burnt down overnight
• Paarl Gravure
• Paarl Print - 13 people died
• CERES (collapse of racking)
• BOKOMO (fire)
• SARS – Umhlanga offices
• Electricity failures
Service delivery protests
Globally
• Economic crisis – loss of major suppliers
• Toyota – major recalls Internationally
• Natural disasters – Japan, Haiti, Thailand,
Pakistan, USA
• London riots
PwC
4
Biggest Insurance loss recorded since 9/11
The 324-year-old insurance market, which
operates out of Richard Rogers's famous
"inside-out building" in London, paid out
£4.6bn in disaster claims after earthquakes
in Japan and New Zealand, storms in the
US and floods in Thailand and Australia.
Total catastrophe claims for the global
industry reached $107bn (£67bn) last year,
according to insurer Aon Benfield.
The unprecedented series of natural
disasters forced up the total Lloyd's payout
to £12.9bn, or £1.07 for every £1 paid in
premiums last year.
Lloyds of London
hit by record
catastrophic claims
- £ 526m loss last
year
.
PwC
5
Extreme weather events increased significantly
over the past decade
Extreme weather events over the past
decade have increased and were "very
likely" caused by human-induced global
warming, according to a study in the
journal of Nature Climate Change.
Recent years have seen an exceptionally
large number of record-breaking and
destructive heatwaves in many parts of the
world and research suggests that many or
even most of these would not have
happened without global warming.
PwC
6
Tracker Case Study
Fire started at approx 2am on 17 Jan 2010
Local residents called Fire services
Entire top floor was destroyed which housed their
call centre – 3:30am and fire was still raging
Senior management team assembled at their recovery
site - 4am
Started executing their Business Continuity Plan.
Plans based on 9/11 type scenario
Call centre was operational by 5:30am
People played a major role
No disruption to their services
Fully operational on Monday morning 6am when
staff arrived for work.
PwC
7
Tracker Case Study
Gareth Crocker, Communications Manager for
Tracker left the following comment at 11am:
“I would just like to let everyone know that
Tracker's emergency call centre was recently
moved from that building and escaped
unscathed. We have a disaster recovery site and
plan for this kind of thing which we are rolling
out as we speak.
We don't anticipate major disruptions to our
business come Monday morning.”
PwC
8
Ceres earthquake of 29 September 1969
The most destructive earthquake in South African
history struck the Ceres area at 22H03 on the 29th of
September 1969. Its magnitude was 6.3 on the Richter
scale. The shock was felt as far as Durban (1175Km).
The earthquake was followed by a number of
aftershocks, the most severe of which was on the 14th of
April 1970. (5.7 on the Richter scale)
During the earthquake, even well-constructed brick
houses were extensively damaged. Nearly all the roads in
the area were cracked, pipelines were broken and
tombstones fell. Fortunately none of the dams in the
area failed, although the earth walls of some were
cracked.
Extensive fires ravaged the mountains due to sparks
caused by falling rocks and screeslides. The duration of
the main shock was 15 seconds.
The accumulation of forces over time will probably cause
another earthquake in the future.
PwC
9
What is Business Continuity Planning
PwC
10
PwC
11
Business Continuity
Business continuity describes the processes and
procedures an organisation puts in place to ensure that
essential functions can continue during and after a
disaster. Business continuity planning seeks to prevent
interruption of mission-critical services, and to reestablish full functioning as swiftly and smoothly as
possible after any interruption.
No organisation wants to suffer a breach of its
information security defenses. But even the best defences
are not always failsafe. It therefore needs a 'business
continuity plan' (BCP) which sets out the actions to be
taken to restore business as usual after a critical incident.
However, it is better if the breach can be avoided, so
organisations put in place pro-active controls to help
minimise and manage risks.
PwC
12
People over plans every time
Paradigm Shift
Solution
Solution Elements
Elements
Perception
Perception
Reality
Reality
People
5%
65%
Infrastructure
20%
30%
Paper plans
35%
5%
Analytical reports
40%
0%
PwC
People are by far
the most important
element of a
working solution
Extensive research
clearly shows that
in a real crisis
people rarely look
at plans
13
Business Continuity Management
Key areas of focus
Crisis
Management Team
Identifying
Priorities
Project
Management
Reputation
Management
Strategic
Decisions
Recovery
Support
Stakeholders
Communications
IT
Recovery Team
Business
Recovery Team
Incident Site
Team
Modems
IT Staff
Emergency
Services
Management
Visitors
Site
Communications
Business
Staff
Staff
Backups
Plans
Staff and Client
Communications
Infrastructure
Business
Processes
Computers
IT Security
Servers
Phone
Systems
Plans
Networks
PwC
14
BCP vs. Disaster Management
PwC
15
BCP vs. Disaster Management
Disaster management focus is on saving and
preserving lives and infrastructure in the event of a
disaster. The focus is also on providing
humanitarian relief to affected persons and rescue
and salvage operations.
Disaster management should be focused on 4 areas:
• Disaster prevention
• Disaster preparedness
• Disaster Relief
• Disaster recovery
Business Continuity is focused on resuming critical
business operations in the aftermath of a disaster
PwC
16
BCP vs. Disaster Management
Phew! Thank goodness we all made it out
in time…. ‘Course now we are still out of
water’
A number of organisations focus on
emergency management but ignore the need
to recover their business operations!
Business continuity management addresses
an organisation’s ability to:
• Limit the effects of a crisis;
• Provide uninterrupted services; and
• Ultimately recover from the crisis
PwC
17
Why BCP?
PwC
18
Why BCP?
•
King III
•
High risk environment.
•
Reputation and Public image.
•
Reliance on complex systems.
•
Good business sense!
PwC
19
Drivers for BCP – regulatory
King II
3.1.5. The board is responsible for ensuring that a systematic,
documented assessment of the processes and outcomes
surrounding key risks is undertaken, at least annually, for the
purpose of making its public statement on risk management.
It should, at appropriately considered intervals, receive and
review reports on the risk management process in the
company. This risk assessment should address the
company’s exposure to at least the following:
• physical and operational risks;
• human resource risks;
• technology risks;
• business continuity and disaster recovery;
• credit and market risks; and
• compliance risks.
PwC
20
IT Governance
King III
IT should form an integral part of the company’s risk
management
Recommendation
Practical Considerations
• Management should regularly
demonstrate to the board that
adequate business resilience
arrangements are in place for
disaster recovery
•
Business Continuity Planning
and DRP
•
Awareness of IT related laws and
regulations
• The board should ensure that the
company complies with IT laws
and that IT related rules, codes
and standards are considered
PwC
21
IT Governance
KING III
Risk committee and audit committee should assist the board
in carrying out its IT responsibilities
Recommendation
Practical considerations
• The risk committee should ensure
that IT risks are adequately
addressed
• IT risks covered as part of ERM
process
• The risk committee should obtain
appropriate assurance that
controls are in place and effective
in addressing IT risks
• The audit committee should
consider IT as it relates to
financial reporting and the going
concern of the company
PwC
• IT should be on agenda of Risk
and Audit committee meetings
• Audit committee to consider IT
risks as it relates to :
• Financial Reporting
• Going Concern
22
BCP and Risk Management
Risks threaten
Controls mitigate risks – to an extent
Risks can impact
Impact results in aftermath – “mess”
The mess needs to be cleaned up
Aftermath issues are generic
BCP should focus on aftermath
PwC
23
RISK MANAGEMENT SAFETY NET
How Does BCP Fit Into a Risk Management Framework?
Threats
Impact
Strategic
Financial
Operational
Legal
Your Business
Shield
Shield
access controls
hazard avoidance
hazard detection
hazard suppression
redundancy/duplication/diversity
backup
culture and awareness
Impact
Aftermath Issues
Aftermath Issues
Crisis
Manage
ment
PwC
massive disruption to business operations
significant financial loss
loss of customers and market share
loss of vital information - computers and documents
adverse media coverage and poor image
political embarrassment
legal claims for negligence and breach of contract
increased insurance premium
theft of equipment and resources
poor staff morale
management lose control and cannot cope
Technology
Operational Disaster
Continuity Recovery
operations
people
technology - IT and voice
facilities
financial
media
legal
customers and suppliers
24
What auditors traditionally look for
The Full Scope Approach
(can take months):
• Analysis – risks, criticality,
impact etc.
• Strategy Formulation
• Documentation
• Training
• Testing
• Maintenance
PwC
What do Auditors want
from a DRP:
• Documented Plan
• Recently updated
• Evidence of Testing
• Evidence of Risk Assessment
and Business Impact
Analysis
• Are you backing up – where?
• Environmental controls
25
And it looks like this…
Risk
Business Impact Analysis
Assessment
Strategy Selection
Plan
Development
Testing and
Maintenance
Prepare
team
structure
Testing &
Maint.
procedures
Health
Check
Perform
threat
analysis
Review
existing
mitigation
program
PwC
Determine
business
processes
Develop
ranking
criteria
Determine
impacts
(Financial,
operational,
etc.)
Recovery
time
objectives
Minimum
recovery
resources
Range of
strategies
Cost vs.
benefit
review
RFI / RFP
costs
Strategy
selection
Draft
BCP
Prepare
team
procedures
Document
final
BCP
Structured
walk-thru
26
So what is the solution? - BCP FastTrack
• Simulate large scale crisis with team who would manage a
real life crisis
• Involve 3rd parties e.g. Insurance, Media, Emergency
Services
• Develop recovery plans in follow up workshops
SIMULATION
• Business Units and IT implement
infrastructure identified from simulation
IMPLEMENTATION
• People who will use and
rely on recovery strategies
plans, will test them
TEST
• Testing occurs
regularly
RETEST
PwC
27
Simulation
People need to be rehearsed in their roles
if they are to perform on the day
Example – Loss of buildings & telephony simulation
PwC
28
Involve external parties
The crisis team
negotiate their
response with the
team members
External media
challenge the
public relations
response
PwC
Insurance coverage is
confirmed with the Loss
Adjusters - with some
surprises
People need to be
rehearsed if they are to
perform on the day
29
Practical considerations and key
lessons?
PwC
30
Practical considerations
Accounting for all staff and
contractors
•
Re-routing of PABX
•
Staff counselling
•
Dealing with the media and
issuing press statements
•
Limited number of available
PC’s
•
Communicating with staff
and the public
•
Insurance considerations
•
Restoration of call centre and
IT systems
•
Contracts/documents
destroyed
•
Restoring business
operations
•
•
PwC
Sourcing and moving to other
premises
31
Rising from the Ashes – key lessons on recovering
from a disaster
Business Continuity is not just a
document – Its an ABILITY
 People
 Supporting Infrastructure
 Action checklists
Not a once-off exercise
Change management is vital
People first
Tested IT recovery
Good communication
Deal with the Media
Should be an annual budget
Insurance
Review 3rd parties
PwC
32
Conclusion
Can your organisation afford a BCP?
vs.
Can your organisation afford not to have
a BCP?
PwC
33
Questions?
Justin Bouwer
021 5292172 / 082 7788178
[email protected]
© 2012 PwC. All rights reserved. Not for further distribution without the permission of PwC.
"PwC" refers to the network of member firms of PricewaterhouseCoopers International Limited
(PwCIL), or, as the context requires, individual member firms of the PwC network. Each
member firm is a separate legal entity and does not act as agent of PwCIL or any other
member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or
liable for the acts or omissions of any of its member firms nor can it control the exercise of their
professional judgment or bind them in any way. No member firm is responsible or liable for the
acts or omissions of any other member firm nor can it control the exercise of another member
firm's professional judgment or bind another member firm or PwCIL in any way.