Business Continuity Management - planning for major events. BCI Workshop 30 Jan 13

Crisisinterface

Copyright Crisisinterface Limited 2013 Gareth Jones [email protected] 0044(0) 7880 313618

Gareth Jones MSc MBCI

BCM for major events What is the challenge?

mailto:[email protected]

Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618

Agenda

What are major events?

Will normal BCM tools be appropriate?

What other tools could we use to enhance our

planning?

Conclusions

Some further reading



‘normal’ interruptions

global events

Wide area & international events

Interruption Material impact Extinction

What are major events?



• Extreme weather e.g. flood/high winds

• Loss of IT

• Loss of people

• Loss of access to site

• Transport disruption

• Damage to corporate image/reputation/brand

• Loss of telecommunications

• School/childcare closure

• Loss of electricity/gas/water/sewage

• Loss of key skills

• Supply chain disruption

• Negative publicity/ coverage

• Customer health/product safety incident

• Employee health & safety incident

• Pressure group protest

• Environmental incident

• Fire

• Industrial action

• Terrorist damage

Source: The 2012 CMI Business Continuity Management Survey

‘Normal’ interruptions




global events


‘Normal’ interruptions

• Loss of IT

• Loss of people

• Loss of access to

site

• Loss of

telecommunications

• Loss of utilities



Stuxnet worm 'targeted high-value Iranian assets’ FT 23 Sep12

Assad launches Scud missile barrage DT 13 Dec 12

The great cyber hijack: how China diverted the web in 18 minute sting DT 19 Nov 10

Japan – nuclear alert over fears of leak at quake reactor DT 12 Mar 11

Major events – some examples

Marikana mine violence poses major threat FT 24 Aug 12

Buncefield explosion threatens 400 businesses DT Dec 2005

BP faces fresh attack over spill failure DT 13 Jun 10

Al Qa’eda brings terror to heart of London DT 8 Jul 05

BlackBerry manufacturer RIM had 'single point of failure' Computer World 13 Oct 11

Anthrax attack hits Congrerss, Israeli minister assinated DT 18 Oct 01

Ministers should have acted sooner over Ash crisis DT 21 Apr 10




global events



• Loss of IT

• Loss of people

• Loss of access to

site

• Loss of

telecommunications

• Loss of utilities

• CIS

Wildfires

• Hurricane Katrina

• Country

power failure

• Iceland

ash cloud

• Terrorism Mumbai

• National

strike

• 9/11

• Gulf oil spill

• Flu

pandemic

• ‘Jetstream’ storms

• Bank

collapse



24 hours 48 hours

Recovery

time objective

Maximum

tolerable period of

disruption

May be qualified with recovery level

Time

Impact: evaluated consequence of a particular outcome

Financial

Reputation

Legal/contractual/

regulatory

Quality

Staff morale

Other?

Incident:

Situation that might be, or could lead to, a business interruption, disruption, loss, emergency, incident or crisis

RTO: Recovery time objective. Target time set for resumption of product, service or activity delivery after an incident

MTPD: Maximum tolerable period of disruption. Duration after which an organisation’s viability will be irrevocably threatened of product and service cannot be resumed

Will normal BCM tools be appropriate?

Incident/ interruption



Tools to use in planning for major events?

Risk Management and risk appetite

Dependency and process mapping

Value chain analysis

Down time analysis

Insurance: business interruption calculations

Scenario analysis/stress test

Scenario planning

Others?



Scenario analysis

Adopted by financial sector to develop a view of low probability high impact risks to assist in calculating the level of financial resilience required

Takes ‘long tail’ risks and uses internal loss data (ILD) and external loss data (ELD) to assist in making judgements on what might be the loss sustained in the event of certain scenrarios happening at differing levels of severity

Process:

define and agree scenario descriptions

view over range of probabilities to quantify possible impacts/severity and evalauation of controls

Usually workshops with a group of management, experts and people to facilitate objectively and avoid bias



3rd party cause

‘normal’ identified risk

only firm affected

market wide

#1 London-wide

outage

#3 major technology

failure #7

infectious

disease

slow

initial burn

fast

onset

medium

onset

fast

onset

Scenario planning

#2 main offices

outage



Conclusions

Assumption is that most developed BCMS should be capable for ‘normal’

interruptions

The requirement to plan for major events is poorly defined and often ‘too difficult’

until forced upon management?

Normal BCM tools may not be the best tools for reducing uncertainty in planning

for major events

Scenario analysis provides a developed technique to define financial impacts over

a range of probability using a disciplined method

Scenario planning often highlights different requirements to those defined by

‘bottom-up’ BIA and tests assumptions (as with exercises and war-games)

Tools and techniques are still evolving – we should take the wider view and

sample and utilise the best tools to build resilience for major events



Further reading on the topic of tools for use in

planning for major events

UK Chartered Management Institute – Planning for the worst. Annual BCM Survey March 2012 (normal interruptions and useful benchmark data)

WEF – Global Risks Report 2013 (risk mapping and interconnectedness)

Future Global Shocks – OECD Reviews of Risk Management – June 2011 (dependancy modelling )

UK National Risk Assessment for Civil Emergencies - January 2012 Edition (www.cabinetoffice.gov.uk) (UK view of risks)

Riks appetite and tolernace consultation paper – IRM May 2011 (useful for defing risk appetite)

Scenario planning : Ringland (staple reference on scenario planning)

Scenario analysis : APRA working paper : Applying a structured approach to operational risk scenario analysis in Australia (www.apra.gov.au - explantion of some SA terms)

Exercise programmes: design, experience, reflect and fix. Gareth Jones, Continuity , Mar 2010 (discussion on developing an exercise programme)


http://www.apra.gov.au/