Cody Shive, profile picture
Uploaded byCody Shive
2,214 views

Risk Management - Business Continuity Planning and Management

The document outlines the principles of risk management and business continuity planning, emphasizing the need for systematic processes to address unexpected events and ensure operational sustainability. It distinguishes between disaster recovery and business continuity management while highlighting the importance of vulnerability assessments and regular exercises for effective planning. Additionally, the document discusses the considerations for return on investment in business continuity initiatives and stresses the necessity of integrating these practices into organizational processes.

Downloaded 178 times
Risk Management Business Continuity Planning and Management
Presentation Outline  ISO Principles of Risk Management  Disaster Recovery vs Business Continuity vs.  Unexpected Events  Business Continuity and Risk Avoidance  Planning and Management Break  Development, Implementation and Exercise  Return on Investment  Business Continuity as an Operational Process 2
ISO Principles of Risk Management  Should create value  Must be an integral part of organizational processes g p g p  Must be part of decision making  Should explicitly address uncertainty and assumptions  Is I systematic and structured d d  Should be based on the best available information  Should be customizable  Takes into account human factors  Is transparent and inclusive  Is dynamic, iterative and responsive to change  Is continually improved and enhanced  Must be continually or periodically re assessed re-assessed 3
Disaster Recovery vs. Business Continuity
Disaster Recovery vs. Business Continuity  Disaster Recovery  The processes involved in restoring a business to normal operation after its operations have been partially or completely interrupted by some event  Business Continuity Planning  Planning to keep your business operating through an unexpected event  Business Continuity Management  Managing the sustaining key business components, bridging the g g g y p g g event  Discussion 5
Is Business Continuity Planning Necessary?  Compelling Factors  Regulatory requirements  Competitive requirements  Customer impact  Investor impact  Potential litigation  Does Company Size M D C Si Matter? ?  Is BCP for large companies only?  Bottom Line  Keep business functioning and  Protect Company assets ( p y (human, IP, infrastructure) , , ) 6
Unexpected Events
What Constitutes a Disaster or Business Continuity Interruption?  Catastrophic Events  Location destroyed  Distribution center destroyed D b d d  Headquarters destroyed  Event Rising From:  Supply Chain disruption  Smoke/Fire  Cyber attack  Terrorism  Earthquake  Affects of nearby disaster (RR tanker derails; Fukushima)  Social di S i l disturbance (people are hurt and facility is crime scene) b ( l h d f ili i i )  Be careful of playing the odds  Virginia’s last earthquake: over 100 years ago; until August, 2011 8
Example Disruption Scenarios  Level 1 — Loss of secondary function  Loss of SaaS provider (Outsourced Accounting System) $  Level 2 — Technology offline  Loss of local computing environment p g  Level 3 — Distribution network impact  Loss of warehouse (physical goods) Cost  Level 4 — Regional command and control  Loss of entire division  Level 5 — Disaster  Loss of entire company $$$$ 9
Business Continuity and Risk Avoidance
Business Continuity Overview  Business initiative, not an Information Technology initiative  Must keep key revenue streams operating  Need a vulnerabilities list (highest to lowest)  Risk avoidance  Total Risk Avoidance  Replicated facility (higher cost)  Minimal Risk Avoidance  Essential operational systems (lower cost)  Balancing act 11
Keep Key Revenue Streams Operating  Reduce or eliminate revenue stream interruptions by:  Keeping supply chain moving  Filling orders to key customers  Receiving payments  Paying key invoices 12
List Vulnerabilities  Remember S.W.O.T. analysis  Strengths — your Company may have an effective logistics network that can sustain loss of a warehouse with little or no impact to continuing operations  Weaknesses — li areas where the C W k list h h Company is most i vulnerable to interruptions ordered by business impact  Opportunities — you may be able to consolidate operations pp y y p for the short term, or take advantage of unused space in a lesser-used building in the event of facility loss  Threats — including those listed under Example Disruptive Scenarios, natural disasters (floods, hurricanes, tornados, earthquakes), etc. 13
Other Vulnerability Assessment Tools Risk Identification Risk Analysis  Brainstorming  Dependency modeling  Questionnaires  Event tree analysis  Business studies assessing both  Real Option Modeling internal and external factors i l d lf (Valuation) (V l i ) which can influence operations  Decision making under  Industry benchmarking conditions of risk and  Scenario analysis uncertainty i  Risk assessment workshops  Measures of central tendency and dispersion (descriptive  Incident investigation statistics) i i )  Auditing and inspection  PEST (Political, Economic,  HAZOP (Hazard & Operability Social,Technological) analysis Studies) 14
Total Risk Avoidance  How much is too much?  Total Replication of all operational systems  Example U.S. Postal Service (two of five Data Centers)  Discussion. 15
Minimal Risk Avoidance  Essential Systems  Payroll (time clocks) y ( )  Inventory and Order Management  E-mail (communication) ( )  5 Business Days  A/R  A/P  Shipping  Is this i ht? I thi right? 16
Balancing Act  Objective: Determine What You Need  Total Risk Avoidance  Fully Redundant Systems and Operations  Facilities  Inventory  Shipping/Receiving  Minimal Risk Avoidance  Select functions deemed essential  Some disruption in service is acceptable p p  Discussion 17
Planning and Management
Managing the Risk  High-level planning  Develop the plan and publish it  Implementation and exercise  When is the plan considered complete? 19
Getting Started: Objectives  Your Company’s Business Continuity and Needs  Define what business continuity means for your company  Determine what you need in order to maintain it  Take nothing for granted g g  Review all operational concerns  Review both internal and external factors  Discovery process budget  Determine a rough order of magnitude budget for the discovery process  Fund it  Discussion: how can this be done? 20
High level High-level Planning  Engage management and build the BCP team  CEO, COO, CFO, CEO COO CFO CIO  Name business and technology leaders as BCP stakeholders  Create a standard Charter for the project p j  Make it an Enterprise project  Agree on a single individual as the owner with an understudy  Assign a project manager  Isolate Continuity targets  Essential business functions (use a risk matrix)  Scrutinize pitfalls/darlings/issues 21
Project Charter A Project Charter:  Lists reasons for undertaking the project  Solidifies objectives and constraints of the project  Provides directions concerning the solution  Gives names and titles of the main stakeholders  Enumerates in-scope and out-of-scope items  D Dictates as a high-level risk management plan h hl l k l  Serves as a communication plan  Targets project benefits Project Charters are used to:  Authorize a project  Authorizes high-level budget  Aid with resource management and spending authority  Focus overall scope 22
Risk Matrix Example  Helps isolate potential interruptions in service  Link this to affected operations service continuity plan Threat Probability (P) Impact (I) Risk = P x I Hurricane % 80% 1 80% % Flooding – Internal 80% 1 80% Severe Storms 25% 1 25% Flooding – External 80% 0.2 16% Wind Storm 10% 1 10% Tornado 10% 1 10% Terrorism 10% 1 10% Fire – Internal 10% 1 10% Fire – External 10% 1 10% Earthquake 1% 1 1% 23
Plan Components  Establish objectives for the plan. Examples include:  Run payroll within 24 hours of event  Ship product within 48 hours of the event  Essential personnel p  List personnel required for managing the processes  List backup personnel, in the event the primary personnel are directly ff t d b th di tl affected by the event t  Calendar/Timeline  Create a calendar to pinpoint specific timing of actions  List important dates such as payroll, monthly close, and other recurring events that can influence the required availability 24
Systems Recovery  What systems are crucial to maintain continuity?  Payroll and time clocks?  Inventory and Order management?  Shipping and Receiving?  Email?  All of the above?  Be B careful of purportedly autonomous systems f l f dl  Question from the shipping manager: “Since FedEx has supplied my shipping stations, and they are able to Since print shipping manifests, is it okay to go ahead and ship product even if the inventory and fulfillment systems are offline?” Do you think it’s okay? it s 25
Data Recovery  Differences between System and Data Recovery  Systems are the substrate that manage and present data  Data carries the information  Data Recovery Point Objective y j  How old is the data that can be recovered?  Where is the backup stored? Offsite, or still on-site?  When was the last validation that data could be recovered?  Data Recovery Time Objective  How long will it take to recover?  Will data be recovered to the point just prior to the event?  What about data that is lost? 26
Break
Development, Development Implementation and Exercise
Develop the Overall Plan  Stakeholders  List their area’s essential business functions  List alternatives for each business function in a matrix  Plan for functions without immediate alternatives  Assess alternatives for strategic functions  Example: if a warehouse goes offline, can product ship from other warehouses? Include the estimated cost difference.  Document a process flow for decision making and emergency decision-making response.  Ensure everyone knows who is in charge  Establish E bl h a single-point of contact f media relations and ensure all l f for d l d ll responses are funneled through them  Do not depend on making good decisions inside the tornado 29
Develop the Execution Plan  Formulate Business Continuity Management Plan  Assign point individuals to manage specific areas of operation  Ensure everyone has a backup  Establish action plans for: p  Running day-to-day operations  Contacting insurance companies and managing distributions  Recovering from the interruption. Include vendors to source product, infrastructure and services  Crisis communications to keep staff updated as changes occur 30
Implementation and Exercise  Train for the exercise:  Notify participants of it, No plan survives the battle field. — Helmuth von Moltke  Stage it, and  Implement it!  Implement it in stages: p g  First , work out what you thought would happen  Adjust the plan based on what actually happens  Common misconception: you can’t exercise everything in the plan can t  Yes, you can  You may choose not to, because of disruption or cost  Choose a cycle for exercise, and stick to it. exercise it  Minimal: annual (has drawbacks)  Optimal: quarterly  Super-optimal: continual ( S i l i l (may apply to specific processes only) l ifi l ) 31
When is the Plan Considered Complete?  Never  Business Continuity is not a Project  It’s a program  It’s an operational p p process  It’s a strategy  It exists as long as your business does  Each exercise should reflect an updated plan  Exercising the plan is like putting on a play  Remember your lines  Discussion 32
Return on Investment
Quote #1 A Grudge Buy or Providing ROI? “The f “Th fact that most organizations are unlikely to h i i lik l ever use the full extent of the services they have paid for has, i the past, made disaster id f h in h d di [recovery] something of a ‘grudge buy’ and not something that most companies are eager to hi h i spend money on.” ITWEB September 25, 2001 34
Quote #2 Probability or Availability? “…the “ h probabilities associated b corporate b bili i i d by management with the occurrence of most disasters are so low that the expected value of di l h h d l f most disaster recovery programs does not begin to cover the costs required to implement h i d i l (or purchase) them.” William Cappelli Disaster Recovery Program Costing: The Missing Element from GIGA January 22, 1998 35
Quote #3 Bottom Line or Bottomless Pit? “Recovery services don’t add anything to the “R i d ’ dd hi h bottom line, but the consequences of not having l in l h i a plan i place can b disastrous.” be di ” Dave Linacre Managing Director IBM Business Continuity and Recovery Services 36
Reasons ROI Is Not Calculated  Difficulties in making the calculation  Not a financial decision  Lack of commitment to the process  Not an important issue  Bottom Line: Should it take a disaster to recover your investment? y 37
Calculating Return on Investment  Calculated on projects with fixed costs and an end date  Business Continuity starts as a project but becomes an on project, on- going operational program  Cost vs. Time to Ownership: hard to calculate  The project has high development costs up-front  The project’s long tail never ends (constant updates as new systems and changes to business processes occur)  Value Perspective: possible to calculate  Complex calculation (host of factors including loss of productivity)  Moderate calculation (risk register)  Simple calculation (loss by specific system)  Cost of Downtime 38
The Cost of Downtime Tangible Costs Intangible Costs  Lost Revenue  Lost Opportunity  Lost Wages  Employee Retention  Remedial Labor Costs  Loss in Share Value  Lost Inventory  Goodwill  Marketing Costs  Brand Damage  Bank Fees / Penalties  Legal Costs 39
Example Costs of Doing Nothing Average Hourly Costs of Downtime  Airline Reservations: $ 89,500  Retail Catalog: $ 90,000  Infomercials / P I f i l Promotion: i $ 199 500 199,500  Retail Banking: $1,000,000  Retail Brokerage: R t il B k $6,500,000 $6 500 000 40
Business Continuity as an Operational Process
Implementing Business Continuity  What Not To Do?  Treat BCP like a one-time project one time  Turn BCP into a Compliance Program  What To Do?  Weave the program into processes as a forethought, not an afterthought  Make M k BCP part of the operational fabric t f th ti l f b i  Validate progress with each Business Continuity exercise  Grow Business Continuity as your business grows 42
ISO Principles of Risk Management and Business Continuity  Should create value  Should be customizable  BCP creates value by ensuring continued  BCP can be customized as changes in the business operation business dictate  Must be an integral part of organizational  Takes i T k into account human factors h f processes  BCP ensures that the plan addresses capabilities  BCP is an operational process and is therefore of people who can facilitate (or hinder) business integral to the organization continuity  Must be part of decision making  Is transparent and inclusive p  BCP is strategic, and therefore part of  BCP is transparent and inclusive by ensuring decision making that stakeholders are fully involved in every aspect of the process  Should explicitly address uncertainty and  Is dynamic, iterative and responsive to assumptions p change  BCP inherently addresses uncertainty and  BCP changes as the business grows and assumptions expands  Is systematic and structured  Is continually improved and enhanced  BCP is a systematic and structured process  BCP is an operational process that that grows with the business h ih h b i continually improves as the business grows  Should be based on the best available  Must be continually or periodically re- information assessed  BCP is based on the best available information  BCP is continually re-assessed as changes occur at its inception, and it is continually updated in the business. i th b i 43
Questions
Sources  DRI International  Continuity Central  Continuity Insights 2011 Conference  Disaster Recovery Resources  Disaster Recovery World  PilotOnline.com  Humbach, Rob “Disaster Recovery: Finding ROI Without the Disaster,” 2003 Rob. Disaster Disaster,  A Risk Management Standard, AIRMIC, ALARM, IRM: 2002  Wikipedia (various subject articles) © 2010 — 2011, The Arrington Group, Inc. g p This presentation has been uploaded to SlideShare as a marketing instrument for the services of The Arrington Group, Inc. The Arrington Group respectfully requests that you not use this presentation, or specific content from it, without express permission from The Arrington Group, Inc. Therefore, no person, organization or other entity should use this presentation, or specific content from it, as or in their own presentation. If you would like to use aspects of this presentation, or have questions regarding this one, please direct your inquiry to Cody.Shive@The-Arrington-Group.com. The Arrington Group, Inc. does, however, grant you the right to cite this presentation, or aspects of it, as a bibliographical reference. Therefore, if you use this presentation for your research, please include the following citation: Shive, Cody. “Business Continuity Planning and Management." The Arrington Group, Inc. SlideShare, 14 Dec. 2011. Web. 14 Dec. 2011. All diagrams used in this presentation are © The Arrington Group, Inc. Images used are public domain. 45

More Related Content

PDF
Bcp drp
byaqel aqel
 
PDF
Business Continuity Management PowerPoint Presentation Slides
bySlideTeam
 
PDF
Business Continuity Planning
byJohn Wilson
 
PPT
Business Continuity Planning Presentation Overview
byBob Winkler
 
PPTX
Business continuity & disaster recovery planning (BCP & DRP)
byNarudom Roongsiriwong, CISSP
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
Best Practices in Disaster Recovery Planning and Testing
byAxcient
 
PPTX
An Introduction to Disaster Recovery Planning
byNEBizRecovery
 
Bcp drp
byaqel aqel
 
Business Continuity Management PowerPoint Presentation Slides
bySlideTeam
 
Business Continuity Planning
byJohn Wilson
 
Business Continuity Planning Presentation Overview
byBob Winkler
 
Business continuity & disaster recovery planning (BCP & DRP)
byNarudom Roongsiriwong, CISSP
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Best Practices in Disaster Recovery Planning and Testing
byAxcient
 
An Introduction to Disaster Recovery Planning
byNEBizRecovery
 

What's hot

PDF
Information Security Risk Management
byErsoy AKSOY
 
PPTX
Business Continuity & Disaster Recovery
byEC-Council
 
PPTX
Business Continuity - Business Risk & Management
byAndrew Styles
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PPTX
Bcp
bymadunix
 
PPT
business-continuity-management-awareness-presentation-for-mampu2929
byAndy Willams
 
PPT
Disaster Recovery Plan for IT
byhhuihhui
 
PPTX
Disaster Recovery Plan
bymhdpaknejad
 
PPT
What’s & Why’s of Business Continuity Planning (BCP)
byCBIZ, Inc.
 
PDF
IT-Centric Disaster Recovery & Business Continuity
bySteve Susina
 
PPTX
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
PPTX
Business Continuity Planning
bygcleary
 
PPTX
Business continuity & Disaster recovery planing
byHanaysha
 
PPTX
Business Continuity Planning
byBharath Rao
 
PPT
8. operations security
by7wounders
 
PPT
Business Impact Analysis
bydlfrench
 
PDF
Bcm Framework PowerPoint Presentation Slides
bySlideTeam
 
PDF
Cyber security maturity model- IT/ITES
byPriyanka Aash
 
PPTX
The Basics of Cyber Insurance
byHB Litigation Conferences
 
PPTX
BCP Awareness
byImad Almurib
 
Information Security Risk Management
byErsoy AKSOY
 
Business Continuity & Disaster Recovery
byEC-Council
 
Business Continuity - Business Risk & Management
byAndrew Styles
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
Bcp
bymadunix
 
business-continuity-management-awareness-presentation-for-mampu2929
byAndy Willams
 
Disaster Recovery Plan for IT
byhhuihhui
 
Disaster Recovery Plan
bymhdpaknejad
 
What’s & Why’s of Business Continuity Planning (BCP)
byCBIZ, Inc.
 
IT-Centric Disaster Recovery & Business Continuity
bySteve Susina
 
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
Business Continuity Planning
bygcleary
 
Business continuity & Disaster recovery planing
byHanaysha
 
Business Continuity Planning
byBharath Rao
 
8. operations security
by7wounders
 
Business Impact Analysis
bydlfrench
 
Bcm Framework PowerPoint Presentation Slides
bySlideTeam
 
Cyber security maturity model- IT/ITES
byPriyanka Aash
 
The Basics of Cyber Insurance
byHB Litigation Conferences
 
BCP Awareness
byImad Almurib
 

Viewers also liked

PDF
Mass Comm Solutions, Event Management
byMassComm Solutions
 
PPT
Meetings and the Law: Creating and Managing a Risk Management Plan
byDMAI's Destinations Showcase
 
PDF
Seminar Checklist | Based from APEx
by'Cedrick SuperGreenilistic Expialidocious Antonino
 
PDF
An Introduction to creative event management
byWilliam Thomson
 
PDF
Event Marketing Plan Playbook
byDemand Metric
 
PPSX
Event-researchConference
byAum e Hani
 
PDF
How to Conduct an Effective Grant Management Seminar
byRotary International
 
PDF
Event checklist
byKizzi Laster
 
PPTX
How to Plan & Execute a Seminar
byBob Hebeisen
 
Mass Comm Solutions, Event Management
byMassComm Solutions
 
Meetings and the Law: Creating and Managing a Risk Management Plan
byDMAI's Destinations Showcase
 
Seminar Checklist | Based from APEx
by'Cedrick SuperGreenilistic Expialidocious Antonino
 
An Introduction to creative event management
byWilliam Thomson
 
Event Marketing Plan Playbook
byDemand Metric
 
Event-researchConference
byAum e Hani
 
How to Conduct an Effective Grant Management Seminar
byRotary International
 
Event checklist
byKizzi Laster
 
How to Plan & Execute a Seminar
byBob Hebeisen
 

Similar to Risk Management - Business Continuity Planning and Management

PPTX
Risk Management -- Business Continuity Planning and Management.pptx
byCody Shive
 
PDF
Business continuity and recovery planning for manufacturing
byARC Advisory Group
 
PPTX
A Guide to Disaster Preparedness for Businesses
byAdvanced Imaging Solutions & Pinnacle
 
PDF
Security and Business Continuity Working Together
bycharliemb2
 
PDF
Fundamental Concepts of Data Security _Business Continuity
bySibtainHaider13
 
PPTX
sdfdsfsfsdfsdfsdfsdfssefsdfsdfsdfwteesfgrtertwetetwewetwetwerwerewrdfsds
bysrizvi9
 
PPT
Business Continuity Workshop Final
byBill Lisse
 
PDF
Business continuity in general
byJohn Johari
 
PDF
Introduction to Business Continuity Management
byProf. David E. Alexander (UCL)
 
PDF
Business Continuity Planning
byalanlund
 
PPT
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
PPT
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
PDF
BC Awareness Workshop
byAmalfiCORE, LLC
 
PDF
hp 2005 Presentation
byQuarterlyEarningsReports3
 
PDF
A Game Plan for Making Decisions Before, During, and After a Crisis Hits Your...
by4Good.org
 
PPTX
Task8 bcp
byJumanah AlAhmad
 
PPT
Continuity Planning 101
bytjrettig
 
PPT
Asq elliot format
bykcmani15
 
PDF
Insights on it risk bcm
byVladimir Matviychuk
 
PDF
Business Continuity Planning Seminar
bycmckinney
 
Risk Management -- Business Continuity Planning and Management.pptx
byCody Shive
 
Business continuity and recovery planning for manufacturing
byARC Advisory Group
 
A Guide to Disaster Preparedness for Businesses
byAdvanced Imaging Solutions & Pinnacle
 
Security and Business Continuity Working Together
bycharliemb2
 
Fundamental Concepts of Data Security _Business Continuity
bySibtainHaider13
 
sdfdsfsfsdfsdfsdfsdfssefsdfsdfsdfwteesfgrtertwetetwewetwetwerwerewrdfsds
bysrizvi9
 
Business Continuity Workshop Final
byBill Lisse
 
Business continuity in general
byJohn Johari
 
Introduction to Business Continuity Management
byProf. David E. Alexander (UCL)
 
Business Continuity Planning
byalanlund
 
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
Social Enterprise Learning Toolkit (Risk Management Module)
byEnterprising Non-Profits
 
BC Awareness Workshop
byAmalfiCORE, LLC
 
hp 2005 Presentation
byQuarterlyEarningsReports3
 
A Game Plan for Making Decisions Before, During, and After a Crisis Hits Your...
by4Good.org
 
Task8 bcp
byJumanah AlAhmad
 
Continuity Planning 101
bytjrettig
 
Asq elliot format
bykcmani15
 
Insights on it risk bcm
byVladimir Matviychuk
 
Business Continuity Planning Seminar
bycmckinney
 

Recently uploaded

PDF
Veritas Interim report 1 January–30 September 2025
byVeritas Eläkevakuutus - Veritas Pensionsförsäkring
 
PDF
Top 10 SBLC Providers in the UK 2025 | TRG Ranks #2
byTRG Venture Capital International Investment G.P. Limited:
 
PPTX
Institutional Digital Asset Custody Solutions for Enterprises in 2026.pptx
byLiminal Custody
 
PPTX
Budget_and_Financial_Reporting_for_the_Enterprise 6.pptx
byRillaGantino2
 
PPTX
demography_presention1 Education Statistics refers to statistics related to e...
by8dgraphics
 
PPTX
From Property to Profit- Inside a Real Estate Investment Company
byGolden Growth Fund
 
PDF
The Eight Faces of Weakness: Understanding Your Organization's Hidden Fragili...
byTheta Prime Institute, Cheyenne, Wyoming, USA.
 
DOCX
How To Buy A Verified Chime Account_.docx
bymarketing
 
PDF
Serge Libert_BOSA.pptx.pdf_FinTech Belgium
byFinTech Belgium
 
DOCX
Why PayPal Accounts Dominate the Digital Payment Industry.docx
byBEST IT SMM
 
PDF
Understanding How Abhay Bhutada Foundation Fulfills SEBI ESG Criteria
byRaj Kumble
 
PDF
Top 11 Best Site To Buy Snapchat Account in 2025.pdf
bymarketing
 
PPTX
原版复刻英国密德萨斯大学毕业证(MDX毕业证书)成绩单信封在读证明可查学历认证
by南澳大利亚大学学历认证【Q微号:1954 292 140】研究生文凭(UniSA毕业证成绩单)
 
DOCX
Understanding OpenSea's Upcoming Token Launch: A CNCPW Educational Perspective
byCNCPW Sobrenome
 
PDF
A Closed-Loop Internet–Blockchain Hybrid_ The Next Evolution of Cloud Securit...
byStevenHeizmannCPA
 
PDF
Top 1 Websites to Buy Verified Transferwise Accounts Before.pdf
bymarketing
 
PDF
LAKE WINN Pioneering Lithium Exploration
byAgoracom Small Caps
 
PPTX
time value of money, investment criteria and project rating index.pptx
byYogesh Dixit
 
PDF
Trade Facilitation Monitoring in Ukraine № 94
byІнститут економічних досліджень та політичних консультацій
 
PDF
E-Invoice & Peppol Presentation by E-invoice.be
byFinTech Belgium
 
Veritas Interim report 1 January–30 September 2025
byVeritas Eläkevakuutus - Veritas Pensionsförsäkring
 
Top 10 SBLC Providers in the UK 2025 | TRG Ranks #2
byTRG Venture Capital International Investment G.P. Limited:
 
Institutional Digital Asset Custody Solutions for Enterprises in 2026.pptx
byLiminal Custody
 
Budget_and_Financial_Reporting_for_the_Enterprise 6.pptx
byRillaGantino2
 
demography_presention1 Education Statistics refers to statistics related to e...
by8dgraphics
 
From Property to Profit- Inside a Real Estate Investment Company
byGolden Growth Fund
 
The Eight Faces of Weakness: Understanding Your Organization's Hidden Fragili...
byTheta Prime Institute, Cheyenne, Wyoming, USA.
 
How To Buy A Verified Chime Account_.docx
bymarketing
 
Serge Libert_BOSA.pptx.pdf_FinTech Belgium
byFinTech Belgium
 
Why PayPal Accounts Dominate the Digital Payment Industry.docx
byBEST IT SMM
 
Understanding How Abhay Bhutada Foundation Fulfills SEBI ESG Criteria
byRaj Kumble
 
Top 11 Best Site To Buy Snapchat Account in 2025.pdf
bymarketing
 
原版复刻英国密德萨斯大学毕业证(MDX毕业证书)成绩单信封在读证明可查学历认证
by南澳大利亚大学学历认证【Q微号:1954 292 140】研究生文凭(UniSA毕业证成绩单)
 
Understanding OpenSea's Upcoming Token Launch: A CNCPW Educational Perspective
byCNCPW Sobrenome
 
A Closed-Loop Internet–Blockchain Hybrid_ The Next Evolution of Cloud Securit...
byStevenHeizmannCPA
 
Top 1 Websites to Buy Verified Transferwise Accounts Before.pdf
bymarketing
 
LAKE WINN Pioneering Lithium Exploration
byAgoracom Small Caps
 
time value of money, investment criteria and project rating index.pptx
byYogesh Dixit
 
Trade Facilitation Monitoring in Ukraine № 94
byІнститут економічних досліджень та політичних консультацій
 
E-Invoice & Peppol Presentation by E-invoice.be
byFinTech Belgium
 

Risk Management - Business Continuity Planning and Management

  • 1.
    Risk Management Business ContinuityPlanning and Management
  • 2.
    Presentation Outline  ISOPrinciples of Risk Management  Disaster Recovery vs Business Continuity vs.  Unexpected Events  Business Continuity and Risk Avoidance  Planning and Management Break  Development, Implementation and Exercise  Return on Investment  Business Continuity as an Operational Process 2
  • 3.
    ISO Principles ofRisk Management  Should create value  Must be an integral part of organizational processes g p g p  Must be part of decision making  Should explicitly address uncertainty and assumptions  Is I systematic and structured d d  Should be based on the best available information  Should be customizable  Takes into account human factors  Is transparent and inclusive  Is dynamic, iterative and responsive to change  Is continually improved and enhanced  Must be continually or periodically re assessed re-assessed 3
  • 4.
    Disaster Recovery vs. Business Continuity
  • 5.
    Disaster Recovery vs.Business Continuity  Disaster Recovery  The processes involved in restoring a business to normal operation after its operations have been partially or completely interrupted by some event  Business Continuity Planning  Planning to keep your business operating through an unexpected event  Business Continuity Management  Managing the sustaining key business components, bridging the g g g y p g g event  Discussion 5
  • 6.
    Is Business ContinuityPlanning Necessary?  Compelling Factors  Regulatory requirements  Competitive requirements  Customer impact  Investor impact  Potential litigation  Does Company Size M D C Si Matter? ?  Is BCP for large companies only?  Bottom Line  Keep business functioning and  Protect Company assets ( p y (human, IP, infrastructure) , , ) 6
  • 7.
  • 8.
    What Constitutes aDisaster or Business Continuity Interruption?  Catastrophic Events  Location destroyed  Distribution center destroyed D b d d  Headquarters destroyed  Event Rising From:  Supply Chain disruption  Smoke/Fire  Cyber attack  Terrorism  Earthquake  Affects of nearby disaster (RR tanker derails; Fukushima)  Social di S i l disturbance (people are hurt and facility is crime scene) b ( l h d f ili i i )  Be careful of playing the odds  Virginia’s last earthquake: over 100 years ago; until August, 2011 8
  • 9.
    Example Disruption Scenarios  Level 1 — Loss of secondary function  Loss of SaaS provider (Outsourced Accounting System) $  Level 2 — Technology offline  Loss of local computing environment p g  Level 3 — Distribution network impact  Loss of warehouse (physical goods) Cost  Level 4 — Regional command and control  Loss of entire division  Level 5 — Disaster  Loss of entire company $$$$ 9
  • 10.
    Business Continuity and Risk Avoidance
  • 11.
    Business Continuity Overview  Business initiative, not an Information Technology initiative  Must keep key revenue streams operating  Need a vulnerabilities list (highest to lowest)  Risk avoidance  Total Risk Avoidance  Replicated facility (higher cost)  Minimal Risk Avoidance  Essential operational systems (lower cost)  Balancing act 11
  • 12.
    Keep Key RevenueStreams Operating  Reduce or eliminate revenue stream interruptions by:  Keeping supply chain moving  Filling orders to key customers  Receiving payments  Paying key invoices 12
  • 13.
    List Vulnerabilities  Remember S.W.O.T. analysis  Strengths — your Company may have an effective logistics network that can sustain loss of a warehouse with little or no impact to continuing operations  Weaknesses — li areas where the C W k list h h Company is most i vulnerable to interruptions ordered by business impact  Opportunities — you may be able to consolidate operations pp y y p for the short term, or take advantage of unused space in a lesser-used building in the event of facility loss  Threats — including those listed under Example Disruptive Scenarios, natural disasters (floods, hurricanes, tornados, earthquakes), etc. 13
  • 14.
    Other Vulnerability AssessmentTools Risk Identification Risk Analysis  Brainstorming  Dependency modeling  Questionnaires  Event tree analysis  Business studies assessing both  Real Option Modeling internal and external factors i l d lf (Valuation) (V l i ) which can influence operations  Decision making under  Industry benchmarking conditions of risk and  Scenario analysis uncertainty i  Risk assessment workshops  Measures of central tendency and dispersion (descriptive  Incident investigation statistics) i i )  Auditing and inspection  PEST (Political, Economic,  HAZOP (Hazard & Operability Social,Technological) analysis Studies) 14
  • 15.
    Total Risk Avoidance  How much is too much?  Total Replication of all operational systems  Example U.S. Postal Service (two of five Data Centers)  Discussion. 15
  • 16.
    Minimal Risk Avoidance  Essential Systems  Payroll (time clocks) y ( )  Inventory and Order Management  E-mail (communication) ( )  5 Business Days  A/R  A/P  Shipping  Is this i ht? I thi right? 16
  • 17.
    Balancing Act  Objective: Determine What You Need  Total Risk Avoidance  Fully Redundant Systems and Operations  Facilities  Inventory  Shipping/Receiving  Minimal Risk Avoidance  Select functions deemed essential  Some disruption in service is acceptable p p  Discussion 17
  • 18.
  • 19.
    Managing the Risk  High-level planning  Develop the plan and publish it  Implementation and exercise  When is the plan considered complete? 19
  • 20.
    Getting Started: Objectives  Your Company’s Business Continuity and Needs  Define what business continuity means for your company  Determine what you need in order to maintain it  Take nothing for granted g g  Review all operational concerns  Review both internal and external factors  Discovery process budget  Determine a rough order of magnitude budget for the discovery process  Fund it  Discussion: how can this be done? 20
  • 21.
    High level High-level Planning  Engage management and build the BCP team  CEO, COO, CFO, CEO COO CFO CIO  Name business and technology leaders as BCP stakeholders  Create a standard Charter for the project p j  Make it an Enterprise project  Agree on a single individual as the owner with an understudy  Assign a project manager  Isolate Continuity targets  Essential business functions (use a risk matrix)  Scrutinize pitfalls/darlings/issues 21
  • 22.
    Project Charter A ProjectCharter:  Lists reasons for undertaking the project  Solidifies objectives and constraints of the project  Provides directions concerning the solution  Gives names and titles of the main stakeholders  Enumerates in-scope and out-of-scope items  D Dictates as a high-level risk management plan h hl l k l  Serves as a communication plan  Targets project benefits Project Charters are used to:  Authorize a project  Authorizes high-level budget  Aid with resource management and spending authority  Focus overall scope 22
  • 23.
    Risk Matrix Example  Helps isolate potential interruptions in service  Link this to affected operations service continuity plan Threat Probability (P) Impact (I) Risk = P x I Hurricane % 80% 1 80% % Flooding – Internal 80% 1 80% Severe Storms 25% 1 25% Flooding – External 80% 0.2 16% Wind Storm 10% 1 10% Tornado 10% 1 10% Terrorism 10% 1 10% Fire – Internal 10% 1 10% Fire – External 10% 1 10% Earthquake 1% 1 1% 23
  • 24.
    Plan Components  Establish objectives for the plan. Examples include:  Run payroll within 24 hours of event  Ship product within 48 hours of the event  Essential personnel p  List personnel required for managing the processes  List backup personnel, in the event the primary personnel are directly ff t d b th di tl affected by the event t  Calendar/Timeline  Create a calendar to pinpoint specific timing of actions  List important dates such as payroll, monthly close, and other recurring events that can influence the required availability 24
  • 25.
    Systems Recovery  What systems are crucial to maintain continuity?  Payroll and time clocks?  Inventory and Order management?  Shipping and Receiving?  Email?  All of the above?  Be B careful of purportedly autonomous systems f l f dl  Question from the shipping manager: “Since FedEx has supplied my shipping stations, and they are able to Since print shipping manifests, is it okay to go ahead and ship product even if the inventory and fulfillment systems are offline?” Do you think it’s okay? it s 25
  • 26.
    Data Recovery  Differences between System and Data Recovery  Systems are the substrate that manage and present data  Data carries the information  Data Recovery Point Objective y j  How old is the data that can be recovered?  Where is the backup stored? Offsite, or still on-site?  When was the last validation that data could be recovered?  Data Recovery Time Objective  How long will it take to recover?  Will data be recovered to the point just prior to the event?  What about data that is lost? 26
  • 27.
  • 28.
  • 29.
    Develop the OverallPlan  Stakeholders  List their area’s essential business functions  List alternatives for each business function in a matrix  Plan for functions without immediate alternatives  Assess alternatives for strategic functions  Example: if a warehouse goes offline, can product ship from other warehouses? Include the estimated cost difference.  Document a process flow for decision making and emergency decision-making response.  Ensure everyone knows who is in charge  Establish E bl h a single-point of contact f media relations and ensure all l f for d l d ll responses are funneled through them  Do not depend on making good decisions inside the tornado 29
  • 30.
    Develop the ExecutionPlan  Formulate Business Continuity Management Plan  Assign point individuals to manage specific areas of operation  Ensure everyone has a backup  Establish action plans for: p  Running day-to-day operations  Contacting insurance companies and managing distributions  Recovering from the interruption. Include vendors to source product, infrastructure and services  Crisis communications to keep staff updated as changes occur 30
  • 31.
    Implementation and Exercise  Train for the exercise:  Notify participants of it, No plan survives the battle field. — Helmuth von Moltke  Stage it, and  Implement it!  Implement it in stages: p g  First , work out what you thought would happen  Adjust the plan based on what actually happens  Common misconception: you can’t exercise everything in the plan can t  Yes, you can  You may choose not to, because of disruption or cost  Choose a cycle for exercise, and stick to it. exercise it  Minimal: annual (has drawbacks)  Optimal: quarterly  Super-optimal: continual ( S i l i l (may apply to specific processes only) l ifi l ) 31
  • 32.
    When is thePlan Considered Complete?  Never  Business Continuity is not a Project  It’s a program  It’s an operational p p process  It’s a strategy  It exists as long as your business does  Each exercise should reflect an updated plan  Exercising the plan is like putting on a play  Remember your lines  Discussion 32
  • 33.
  • 34.
    Quote #1 A GrudgeBuy or Providing ROI? “The f “Th fact that most organizations are unlikely to h i i lik l ever use the full extent of the services they have paid for has, i the past, made disaster id f h in h d di [recovery] something of a ‘grudge buy’ and not something that most companies are eager to hi h i spend money on.” ITWEB September 25, 2001 34
  • 35.
    Quote #2 Probability orAvailability? “…the “ h probabilities associated b corporate b bili i i d by management with the occurrence of most disasters are so low that the expected value of di l h h d l f most disaster recovery programs does not begin to cover the costs required to implement h i d i l (or purchase) them.” William Cappelli Disaster Recovery Program Costing: The Missing Element from GIGA January 22, 1998 35
  • 36.
    Quote #3 Bottom Lineor Bottomless Pit? “Recovery services don’t add anything to the “R i d ’ dd hi h bottom line, but the consequences of not having l in l h i a plan i place can b disastrous.” be di ” Dave Linacre Managing Director IBM Business Continuity and Recovery Services 36
  • 37.
    Reasons ROI IsNot Calculated  Difficulties in making the calculation  Not a financial decision  Lack of commitment to the process  Not an important issue  Bottom Line: Should it take a disaster to recover your investment? y 37
  • 38.
    Calculating Return onInvestment  Calculated on projects with fixed costs and an end date  Business Continuity starts as a project but becomes an on project, on- going operational program  Cost vs. Time to Ownership: hard to calculate  The project has high development costs up-front  The project’s long tail never ends (constant updates as new systems and changes to business processes occur)  Value Perspective: possible to calculate  Complex calculation (host of factors including loss of productivity)  Moderate calculation (risk register)  Simple calculation (loss by specific system)  Cost of Downtime 38
  • 39.
    The Cost ofDowntime Tangible Costs Intangible Costs  Lost Revenue  Lost Opportunity  Lost Wages  Employee Retention  Remedial Labor Costs  Loss in Share Value  Lost Inventory  Goodwill  Marketing Costs  Brand Damage  Bank Fees / Penalties  Legal Costs 39
  • 40.
    Example Costs ofDoing Nothing Average Hourly Costs of Downtime  Airline Reservations: $ 89,500  Retail Catalog: $ 90,000  Infomercials / P I f i l Promotion: i $ 199 500 199,500  Retail Banking: $1,000,000  Retail Brokerage: R t il B k $6,500,000 $6 500 000 40
  • 41.
    Business Continuity asan Operational Process
  • 42.
    Implementing Business Continuity  What Not To Do?  Treat BCP like a one-time project one time  Turn BCP into a Compliance Program  What To Do?  Weave the program into processes as a forethought, not an afterthought  Make M k BCP part of the operational fabric t f th ti l f b i  Validate progress with each Business Continuity exercise  Grow Business Continuity as your business grows 42
  • 43.
    ISO Principles ofRisk Management and Business Continuity  Should create value  Should be customizable  BCP creates value by ensuring continued  BCP can be customized as changes in the business operation business dictate  Must be an integral part of organizational  Takes i T k into account human factors h f processes  BCP ensures that the plan addresses capabilities  BCP is an operational process and is therefore of people who can facilitate (or hinder) business integral to the organization continuity  Must be part of decision making  Is transparent and inclusive p  BCP is strategic, and therefore part of  BCP is transparent and inclusive by ensuring decision making that stakeholders are fully involved in every aspect of the process  Should explicitly address uncertainty and  Is dynamic, iterative and responsive to assumptions p change  BCP inherently addresses uncertainty and  BCP changes as the business grows and assumptions expands  Is systematic and structured  Is continually improved and enhanced  BCP is a systematic and structured process  BCP is an operational process that that grows with the business h ih h b i continually improves as the business grows  Should be based on the best available  Must be continually or periodically re- information assessed  BCP is based on the best available information  BCP is continually re-assessed as changes occur at its inception, and it is continually updated in the business. i th b i 43
  • 44.
  • 45.
    Sources  DRI International  Continuity Central  Continuity Insights 2011 Conference  Disaster Recovery Resources  Disaster Recovery World  PilotOnline.com  Humbach, Rob “Disaster Recovery: Finding ROI Without the Disaster,” 2003 Rob. Disaster Disaster,  A Risk Management Standard, AIRMIC, ALARM, IRM: 2002  Wikipedia (various subject articles) © 2010 — 2011, The Arrington Group, Inc. g p This presentation has been uploaded to SlideShare as a marketing instrument for the services of The Arrington Group, Inc. The Arrington Group respectfully requests that you not use this presentation, or specific content from it, without express permission from The Arrington Group, Inc. Therefore, no person, organization or other entity should use this presentation, or specific content from it, as or in their own presentation. If you would like to use aspects of this presentation, or have questions regarding this one, please direct your inquiry to [email protected]. The Arrington Group, Inc. does, however, grant you the right to cite this presentation, or aspects of it, as a bibliographical reference. Therefore, if you use this presentation for your research, please include the following citation: Shive, Cody. “Business Continuity Planning and Management." The Arrington Group, Inc. SlideShare, 14 Dec. 2011. Web. 14 Dec. 2011. All diagrams used in this presentation are © The Arrington Group, Inc. Images used are public domain. 45