View
2
Download
0
Category
Preview:
Citation preview
3/27/2015
1
The 13th Annual Continuity Insights
Management Conference
Presented by: Continuity Insights
April 20-22, 2015Talking Stick Resort ● Scottsdale, AZ
Next Generation Resilience
What Enterprise-Wide
Business Continuity Really Means
April 20, 2015
Communicating the value of BC to management and embedding it into the corporate culture
“In preparing for battle I have always found that plans are useless, but planning is indispensable.”
Dwight D. Eisenhower
Agenda
• Background
• Program Elements
• What Makes it “Enterprise-wide”
• Recommended Strategies
13th Annual Continuity Insights Management Conference: Next Generation Resilience
3
• Established in 1896, Preferred Mutual Insurance
Company is headquartered in New Berlin, New York
• Provides property and casualty insurance coverage to
individual and business customers through a network
of independent agents throughout the Northeast
• Rated "A" for excellent through A.M. Best
• Please visit us at www.preferredmutual.com
• Email questions to dave.prosser@preferredmutual.com
13th Annual Continuity Insights Management Conference: Next Generation Resilience
4
3/27/2015
2
Where To Begin???
Business
Catastrophe
Crisis
Disaster
Emergency
Incident
Risk
Technology (IT)
Contingency
Continuity
Disruption
Interruption
Recovery
Resilience
Management
Planning
Preparedness
Program
Readiness
What do we do?
13th Annual Continuity Insights Management Conference: Next Generation Resilience
5
Let’s See What the Industry Has To Say
Business Continuity:
• An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain
viable recovery strategies, recovery plans, and continuity of services. (NFPA 1600)
• The strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in
order to continue business operations at an acceptable predefined level. (DRJ)
Business Continuity Management:
• Holistic management process that identifies potential threats to an organization and the impacts to business operations
those threats, if realized, might cause, and which provides a framework for building organizational resilience with the
capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-
creating activities. (ISO 22301)
• The process that organizations use to ensure business continuity is maintained across their organization. (DRJ)
Business Continuity Program:
• Ongoing management and governance process supported by top management and appropriately resourced to implement
and maintain business continuity management. (ISO 22301)
13th Annual Continuity Insights Management Conference: Next Generation Resilience
6
More Industry Terminologies
Business Continuity Management Program:
• Ongoing management and governance process supported by top management and appropriately resourced to ensure that
the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and
ensure continuity of products and services through training, exercising, maintenance and review. (BCI)
Disaster Recovery
• The technical aspect of business continuity. The collection of resources and activities to re-establish information
technology services (including components such as infrastructure, telecommunications, systems, applications and data) at
an alternate site following a disruption of IT services. Disaster recovery includes subsequent resumption and restoration
of those operations at a more permanent site. (DRJ)
Disaster/Emergency Management:
• An ongoing process to prevent, mitigate, prepare for, respond to, maintain continuity during, and recover from an
incident that threatens life, property, operations, or the environment. (NFPA 1600)
• A program that implements the mission, vision, strategic goals, objectives and management framework of the program
and organization. (BCI)
13th Annual Continuity Insights Management Conference: Next Generation Resilience
7
Encompassing “the Enterprise”
Enterprise-wide:
• Encompassing an entire organization, rather than a single business department or function. (FFIEC IT Examination
Handbook, Business Continuity Planning, Appendix B: Glossary)
Enterprise Risk Management (ERM):
• ERM includes the methods and processes used by organizations to manage risks and seize opportunities related to the
achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying
particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in
terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying
and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders,
including owners, employees, customers, regulators, and society overall. (BCI and Wikipedia)
(Keep in mind, this has only been a sampling of terms…)
13th Annual Continuity Insights Management Conference: Next Generation Resilience
8
3/27/2015
3
1st Step… Pick the ‘Broadest Starting Point’
Business Continuity Management (BCM):
• Holistic management process that identifies potential threats to an organization and the impacts to business operations
those threats, if realized, might cause, and which provides a framework for building organizational resilience1 with the
capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating
activities. (ISO 22301)
1 Resilience:
• (1) the ability to become strong, healthy, or successful again after something bad happens
(2) the ability of something to return to its original shape after it has been pulled, stretched, pressed, bent, etc. (Merriam-Webster.com)
• The adaptive capacity of an organization in a complex and changing environment. (ASIS)
• Editor’s Note: (a) Resilience is the ability of an organization to resist being affected by an event or the ability to return to an acceptable
level of performance in an acceptable period of time after being affected by an event. (b) Resilience is the capability of a system to
maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must. (ASIS)
13th Annual Continuity Insights Management Conference: Next Generation Resilience
9
Going Forward: Use Known References and Leverage Industry Best-Practices
• DRI International (DRII) – Professional Practices
• Business Continuity Institute (BCI) – Good Practices Guidelines
• Regulatory Agency Frameworks, Directives and Documentation (ISO, NFPA, SEC, FFIEC, HIPAA, etc.)
• Industry Publications, White Papers and Recognized Conference Materials (e.g. Continuity Insights)
• Reputable and Trusted Experts, Consultants, Vendors and/or Business Partners
13th Annual Continuity Insights Management Conference: Next Generation Resilience
10
Enterprise-wide is Thought-Shifting
13th Annual Continuity Insights Management Conference: Next Generation Resilience
11
Your Organization
BCM (You)
BC Plan Ownership
Your Organization
BCM (You)
BC Plan Ownership
Facilitation/Expertise Facilitation/Expertise
From This… To This…
Requires Dept Heads becoming Plan Owners
13th Annual Continuity Insights Management Conference: Next Generation Resilience
12
IT Operations
Customer Service
Gov’t Affairs
Site Services
Corp Comm
Field Agency Marketing
Actuarial
Commercial Lines
Human Resources
QA & Agency Interface
CIRT
Internal Audit
Executive Team Liaison
General Counsel
Personal Lines
IT Enterprise Applications
SBS Project Development
Financial Operations
Finance & Risk Mgmt
Incident Response (& Mgmt) Critical Infrastructure/Support
Direct Customer-facing Areas
BCM
Comm
Claims
Other Depts/BU’s…
3/27/2015
4
Enterprise-wide is also Approach-Shifting(Process-based vs Scenario-based plans)
13th Annual Continuity Insights Management Conference: Next Generation Resilience
13
13
PROCESSESApplications /
Software
Equipment
Supplies
Vital
Records
Com.
Devices
Teams
Employees
Providers /
Vendors
Customers
Tasks
Procedures
Agents and/or
Policyholders
Suppliers
and/or Vendors
① BU’s Identify Process Resource Requirements… ② Then common dept tasks… ③ And then broad scenarios…
Overlay with Company Strategic Responses
_________________________________________________________________________________________________________
Building Outage
Technology Outage
Inclement Weather / Regional Disaster
_________________________________________________________________________________________________________
_________________________________________________________________________________________________________
Pandemic (Workforce Red)_________________________________________________________________________________________________________
Dept BC Plan
Process
Process
Process
Process
Process
---------------------------------------
---------------------------------------
---------------------------------------
---------------------------------------
---------------------------------------
Dept/BU Leadership Checklist
- Account for Employees- Determine Critical Staffing needs- Report Status- Determine escalation/activation- (etc., etc….)
Process Tasks
Enterprise-wide Bridges Gaps
13th Annual Continuity Insights Management Conference: Next Generation Resilience
14
PROCESSESApplications /
Software
Equipment
Supplies
Vital
Records
Com.
Devices
Teams
Employees
Providers /
Vendors
Customers
Tasks
Procedures
Agents and/or
Policyholders
Suppliers
and/or Vendors
PROCESSESApplications /
Software
Equipment
Supplies
Vital
Records
Com.
Devices
Teams
Employees
Providers /
Vendors
Customers
Tasks
Procedures
Agents and/or
Policyholders
Suppliers
and/or Vendors
• Focus/Highlight BIA and Business Process Prioritization
• Ensure the correct level of IT DR, given the ‘ultra-low
tolerance for latency’ world in which we operate today
• Ensure the business has the correct IT DR expectations
• Address Work Area Recovery/Continuity
• Keep Management involved and continuously updated
Requires Enterprise-Wide Incident Coordination
13th Annual Continuity Insights Management Conference: Next Generation Resilience
15
Incident Commander (IC)
Person “In-Charge”
Named at T.O.D.
Finance & Risk Mgt
Finance Lead
Personal Lines
P & I Co-Lead
Corp Communications
Logistics Co-Lead
HR Back-up #1
Infrastructure Co-Lead
IT Operations
CC Back-up #1
Executive Liaison
Actuarial
Strategy Team
Co-back-ups- SVP’s
CEO
Strategic Oversight
Infrastructure Co-Lead
IT Disaster Recovery
Internal Audit
Human Resources
Logistics Co-Lead
IT Back-up #1
Commercial Lines
Field Agency Marketing Gov’t Affairs
SBS Project Dev
Facilitation by BCM
Site Services
SS Back-up #1
Gen Counsel
CC Back-up #2 HR Back-up #2Back-up #2
- VP’s and Sr Directors
Customer Service
P & I Co-Lead
QA & Agency InterfaceClaimsIT Ent Applications Financial OperationsHR
HR
Corp Comm
Corp Comm
IT Back-up #2
P&I Back-up #1 P&I Back-up #2 Finance Back-up #1
Finance Back-up #2
Legend: = Command
= Infrastructure = Logistics
= Finance= Planning & Intelligence
Our Enterprise-Wide BCM Model
13th Annual Continuity Insights Management Conference: Next Generation Resilience
16
(Design and Guidance)
(Making Ready)
(Should there be a need…)
Company/Infrastructure Readiness
• Employee Preparedness, Policies and Communications
• Facilities Preparedness, Mitigation, Emergency Response and Security
• IT Preparedness, Mitigation and IT Disaster Recovery
Department Business Continuity Plans
• Plan Design and Development
• Training and Exercises
• Each Department is responsible for its own BC Plan and Readiness
Incident Response (& Mgmt)
(Design and Guidance)
(Making Ready)
(Should there be a
need…)
• CIRT (Corporate Incident Response Team) comprised of key stakeholders
− Centralized management of all incidents – including Catastrophes
− Escalates/Communicates with Executive Leadership, as necessary
• Response Protocols for each Satellite Office
Business Continuity Committee
3/27/2015
5
13th Annual Continuity Insights Management Conference: Next Generation Resilience
17
Enterprise BCM Program Component Terms/Definitions
Business Continuity Management (BCM): “Holistic management process… provides a framework”
Incident Response (our CIRT): “…may include evacuation of a facility… performing… measures necessary to bring an organization
to a more stable status”
Facilities/HR – Emergency Preparedness/Response: “The capability… to respond to an emergency… to prevent the loss of life
and minimize injury and property damage”
IT – Disaster Recovery (DR): “The technical aspect of business continuity… infrastructure, telecommunications, systems,
applications and data…”
BCM/Facilities/HR/IT/BU’s – Work Area Recovery: “The component… that deals specifically with… relocation of… personnel…
workspace… complete with necessary office infrastructure.”
BU’s – Business Continuity Plan (BCP): “…procedures… to respond, recover, resume and restore… to ensure the continuity of
critical business functions”
Enterprise BCM Program Component Expectations
13th Annual Continuity Insights Management Conference: Next Generation Resilience
18
• BCM Committee: Collaborative Oversight and Readiness; Promotes ‘good organizational habits’
• BCM Program Office: Provides BCM leadership, framework, development, expertise and support services
• BCM/Risk “Owners”: Sign annual attestation; their designated “Liaisons” perform the work in advance
• Corporate Incident Response Team (CIRT): Management team responsible to lead and manage response to any
circumstance (incident, crisis, catastrophe/disaster and alike)
• Emergency Preparedness/Response: Facilitates 1st response to emergencies: evacuation, ‘shelter in-place, lockdown
and alike. Further direction/support from CIRT. MERT for medical emergencies
• IT Disaster Recovery (DR): “Warm site” data center in Rochester; replicates data and used for ‘fail-over’
• Work Area Recovery: Initially Work from Home; complimented by Agility Recovery to provide 144 ‘seats’; includes
equipment and connectivity to our networks via office space, mobile units, generators and satellites
• Business Continuity Plans (BCP’s): Department protocols to help manage from incident occurrence, to and through the
point of continuing critical department processes; includes IT DR and/or Work Area Recovery
Then…Communicate BCM in Common Sense
• Business Continuity is the advanced planning and preparation for things that can happen –
and then being ready to respond when things do happen
• What does that really mean? (Hint: You won’t find it in a binder, or on a software tool…)
• “It’s in the Planning, not the Plans” BCM is an embedded organizational culture that promotes
continuous planning, preparation and making the business ready to respond
• We understand people come first, but doing our jobs become priority once safety is addressed
• Which means, every employee has a role in business continuity
• Every employee must be fully prepared at work and at home, including their families
13th Annual Continuity Insights Management Conference: Next Generation Resilience
19
Recommended Management Strategies
1. Start a BCM Committee
– Dept Heads from: Facilities, IT, Corporate Communications, HR and Key Customer-facing BU’s
– Use Risk-based (ERM) / Best Practices approach, and establish that BCM is a “Show-Stopper”
2. Establish an Incident Response and Management Team (both Members/Protocols)
3. Leverage ‘like-minded’ efforts that are already established. Use BCM Committee to consolidate
and update (possibly agree for BCM to take the lead on integration/improvement)
4. Gain Senior Management approval for a 2- to 4-step design/re-design and deployment strategy
– Begin 1st step ASAP!
5. Provide regular updates and recommendations to Senior (C-level) Executive Management
6. Leverage Corp Comm to socialize BCM to entire company as much as possible… Be Creative!!!
13th Annual Continuity Insights Management Conference: Next Generation Resilience
20
3/27/2015
6
Recommended Employee Strategies
1. Highly promote that all employees prepare themselves and their families:
– Develop an Awareness Campaign
– Lots of help out there! e.g. Red Cross: “Get a Kit. Make a Plan. Be Informed.” (http://arcbrcr.org/#SITE)
– Download local alert apps for weather and other emergencies (In NY, www.nyalert.gov)
2. Highly encourage supervisors/subordinates exchange critical contact information
3. Everyone has a role, is expected to do something during an incident… even if just a phone call
– Know where to go and what to do, even if it’s home. (If you don’t know, ask)
– We understand that family comes first. Give management the courtesy of knowing your situation and
strive to make yourself available. (This is our place of both customer commitment and employment)
13th Annual Continuity Insights Management Conference: Next Generation Resilience
21
When can we communicate that we have achieved
Enterprise-Wide Business Continuity?
• Business Continuity Committee – Confluence and Oversight
• BCM Program Office – Facilitation and Expertise
• Each Department Head is a BCM Plan Owner – Accountability & Ultimate Responsibility
– IT Depts (including DR) are included in this!
– Signs Attestation that BCP is Viable/Actionable, and that SVP’s/Employees are Informed/Trained
• Business Continuity Liaison – Plan Owner-designated Single-Point-of-Contact
– Facilitates information-gathering and plan development (as well as data input and BCM activities)
• Incident Response & Management – Protocols to Ensure a Defined Team is Organized/Ready
[Note: Make it a goal this year or next, to report Residual Risk Tolerances to BOD Audit Committee]
13th Annual Continuity Insights Management Conference: Next Generation Resilience
22
Enterprise-Wide Business Continuity
It’s in the Planning, not the Plans!
Q & A
Thank you,
Dave Prosser, MBCP
dave.prosser@preferredmutual.com
13th Annual Continuity Insights Management Conference: Next Generation Resilience
23
Recommended