Marsh Risk Services Risk Solution Services
Download
Report
Transcript Marsh Risk Services Risk Solution Services
Maintaining Operations in the Face of Unexpected Loss
New Realities in Business Continuity Management
William Pollock
Snr VP & National Manager
MRC-Risk Services
Melbourne
General Overview - MRC
Management Consulting Division of Marsh
Global Representation
Principal focus - To provide risk solutions to clients
Multiple portfolios / services / operating synergies
Marsh
2
BCM - A Viewpoint
BEING PROPERLY PREPARED IS A COMPLEX SCIENCE
Marsh
3
AN OPINION
MURPHY’S LAW STILL EXISTS - BUT WE DON’T HAVE TO MAKE
IT EASY FOR HIM
WE CAN NEVER COVER ALL THE BASES ALL OF THE TIME - BUT
GOOD BCM CAN KEEP YOU IN THE GAME
“WINGING IT”
- IS FOR THE BIRDS - AND SHOULD BE AVOIDED OR
BECOME AN ACTION OF LAST RESORT
- IT USUALLY ONLY WORKS WELL:
¯ IN THE MOVIES OR
¯ IF YOU ARE ALL GOING IN THE SAME DIRECTION
AND READING THE SAME SCRIPT - (ie GOOD BCM)
Marsh
4
BCM - What Does It Mean?
DEFINITION:
The development, maintenance and implementation of
strategies; plans and actions to ensure the continued
availability of critical business processes and services
It includes:
–pre-empting the impact of an incident / crisis
–responding to the incident / crisis
–implementing contingency / continuity plans
–stabilising / recovering critical functions
–resuming / restoring normal operations
Marsh
5
BCM – What are the Drivers?
Legislation / Regulations / Statutes / Standards / Government Reports
– ASX Corporate Governance guidelines,
– CLERP 9
– APRA - Australia (GPS 222)
– Sarbanes Oxley in the USA,
– Australian Standards Handbook HB 221 - Business Continuity
Management
Precedents / Royal Commissions / Senate Inquiries / Parliamentary
Inquiries
Increasing Litigation / Speed of Communication / Investigation /
Observations
Customer, employee, stakeholder and supplier expectations
Marsh
6
BCM - WHAT IS REALLY DIFFERENT
COMMUNITY IS BECOMING INCREASINGLY MORE AWARE
EXPECTATIONS ARE HIGHER
LEVELS OF TOLERANCE ARE DECREASING
ENVIRONMENT IS BECOMING INCREASINGLY MORE COMPLEX**
PERCEPTIONS CAN “CAUSE DAMAGE”
RULE OF PRECEDENT
Marsh
7
BCM - why do it?
General Findings:
43% of businesses experiencing major disasters never re-open
29% close within three years
< 50% of organisations have business recovery plans and at
least 90% never test the plans
75% of businesses are UNABLE TO FUNCTION without IT
support within 14 days
Marsh
“recovery time” is invariably underestimated
“costs” of recovery not always recovered by BI
8
Business Continuity Plan
Why is the Plan itself – so important?
– regulated requirement
– specific response capability vs risk profile vs time
– optimisation of response & recovery strategy
– pre-determined allocation of resources / equipment
– focussed preparation / implementation / training
– enables assessment of specific capabilities and preparedness
against known risk / incident type
Marsh
9
Business Continuity Management
How do we go about it?
Marsh
10
BCM definitions:
Emergency Response
Crisis Management
Crisis Communication Management
Business Continuity Plan
Disaster Recovery Plan (DRP)
Business Continuity Management
Marsh
11
What are YOU trying to do?
Prevent the problem
Fix the problem
Manage Issues & Implications
Recover and Continue from the event
Protect the Enterprise
Act diligently
Marsh
12
Business Continuity Management (BCM)
Marsh Integrated Approach
Policy
Training/
Awareness
BIA / Risk
Assessment
Enterprise
Value
Recovery
Strategies
Emergency
Response
Crisis Management
&
Communication
Marsh
13
Plan development - Step by Step
Process
Recovery Priorities
BUSINESS
OPERATIONS
Critical Business
Processes
Recovery Time
Objectives
Recovery
Procedures
Marsh
Recovery Options
ALTERNATIVE
OPTIONS
(RECOVERY RESOURCES)
14
BCM – A Development Perspective
Some questions:
What is the actual composition of the impacted activities?
What are the critical elements / processes / areas of dependency associated
with the impacted activities?
Where are the bottlenecks and / or key points of failure associated with the
impacted activities?
Where does your office / function / organisation sit within the “greater” network
Are there any factors or 3rd party disturbances - outside your control - which
could directly / indirectly affect the recovery efficiency of the impacted activity?
What are the precedents? How can you minimise impact on recovery?
How do you retain control?
What level of pain are you prepared to carry before it detrimentally affects the
objectives of the business function and its subsequent recovery?
Marsh
15
What happens when a key process is overloaded /
disrupted?
Marsh
16
BCM Development
Some Practical Considerations – Think PROCESS !!!!
Mission critical activity:
– Financial and non-financial impacts
– Recovery Time Objective (RTO) & Recovery Point Objective (RPO)
– Critical processes / inter- dependencies identified & prioritised
– Minimum level of resources identified - phased over time
– Key people / teams identified; trained; notified; activated; tasked
– Business recovery – linked to – IT system recovery / Hot Site !!!!!
– Key documents backed up & stored off site
– Expectations of Key stakeholders
– Constraints under which the mission critical activities need to operate
– Recovery priorities & acceptable levels of redundancy identified &
confirmed
– Audit; review, train and test
not an exhaustive or prescriptive list
Marsh
17
Marsh
Coffee Break
18
The World Trade Center had two 110story buildings, known as the "Twin
Towers" and five smaller buildings.
• Tower One was 414 meters tall.
•Tower Two was 412 meters.
• Built of aluminum and steel.
• The foundation of each tower extended
more than 70 feet below ground, resting
on solid bedrock.
• Each tower consisted of 104 passenger
elevators and 21,800 windows.
• About 50,000 people worked in the
complex, which housed the offices of
more than 430 businesses
Marsh
19
Marsh
20
Indicative
Incident Response
Evacuation
Setting up an information centre, to register employees and make an
inventory of missing or wounded people
Care for employees; families and victims; community
Setting up communication and IT networks
Creating alternative office space
Managing / Recovering day to day business
Security
Marsh
not an exhaustive list
21
Merely Identifying Risks is Not Enough
At Corporate level:
- many companies completed a risk assessment report to
Turnbull or other Corporate Governance requirements went no further or “believed” controls “in place” were
adequate
Insurance was obviously vital for the businesses affected but it was
evident that insurance was not enough to ensure continued
operation.
Risk Control is only the starting point - a waste of time unless
meaningful follow-up action is taken
Marsh
22
Some BCM Findings-General Market
– Processes
Inability to locate key personnel - after evacuation
poor security at secondary site
ill-defined secondary / alternate site transition
Marsh
Inability to move to alternative locations with minimal disruptions
to ongoing business
Inability to execute critical business functions in a timely manner
undefined alternatives in “supply chain”
23
Some BCM Lessons - General market
Contingency Planning
detailed plans - less effective
logistical errors - common
inadequate data recovery
optimistic scenario planning
People
– plans assumed impact on premises / functions
– BUT people skills / intellectual knowledge / resources still
available.
People / intellectual property can and were lost
Trauma needed to be managed
Ability to handle stress and trauma is not always directly
associated with seniority
Marsh
24
Some BCM Lessons-General Market
Logistics
inadequate security for affected offices / companies
relocation of large numbers of traumatised people and / or
support teams involved in recovery
impact of loss of personnel; services and logistics
associated with relocation
Crisis Management
Confusion
Secondary EOC - “outside” exclusion zone
logistics - impaired efficiency / speed of EOC set-up /
wide area issues need to be considered
Marsh
25
Some BCM Lessons-General Market
Telecoms
– businesses may not be able to rely on telecom networks in the event of a
major emergency
– Examples:
need to check for “choke points’
internet reliant firms saw websites down for days
other firms experienced massive surge on internet utilisation
causing servers / routers to overload
Marsh
26
Some BCM Lessons-General Market
Reputation Management
– all actions in the gun-sight of the media - during and post
incident
stakeholder management issues not always clearly defined;
differentiated or managed appropriately
public expectations need to be taken into account
corporate reputation; brand management
moral issues are paramount eg:
- compensation / medical / general insurance benefits /
severance
- trauma counselling / NOK
– Comparisons are inevitable - No Rules - unless international
precedents considered
Marsh
27
Some BCM Lessons-General Market
Risk Identification - outside “Comfort Zone”
if “likely” look for “global precedents & parallels
do not be blinkered by “corporate / personal history”
Marsh
do not avoid the “apparently insolvable” - there is usually a
precedent
always debate the acceptance of risk and the associated
recovery strategy - they do change with time
28
What Is Different
Strategic Re-Assessment of BCM fundamentals
multiple and concurrent points of failure in critical systems
increased awareness of integration of “knowledge” and
systems
human element + logistics vs technology
geographical impacts (local-regional-global)
supply chains / fish-bones
redundancies vs interdependencies
cross - industry impacts
increased regulatory scrutiny
Marsh
29
References – post 9/11
Text sourced from “global continuity.com”
– incorporating findings from McKinsey; Gartner; Dataquest;
Marsh
PWC
Financial Review
Marsh
30