BCM Seminar 10 May 2012

Seminar on Operation Sustainability for Your Business

Thursday 10 May 2012 | 09:00 – 12:00hrs @ Silom Ballroom, Holiday Inn Silom Hotel

BCM introduction – Key Understanding towards Strategic Decision

Mr. Apichai Phongphotakul Director | Business Risk / Enterprise Risk Services Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.

Business Continuity Management

10 May 2012

Weerapong Krisadawat, CISA, CISMPartner & Business Unit Leader – Enterprise Risk ServicesDeloitte Touche Tohmatsu Jaiyos

Are you Prepared and Ready to Respond?

Don’t get caught without a plan

2 Business Continuity Management (BCM)

©2012 Deloitte. All rights reserved.

Agenda

What’s on BCM? Understanding the Roadmap to BCM Certification

Deloitte BCM Methodology & Implementation: World class best practices

Introduction: Key understanding towards strategic decision

BCM case studies & lessons learned from various business sectors

Natural Disaster

[Clip: End of the World]

© 2012 Deloitte Touche Tohmatsu Jaiyos

Natural Disasters around the world in 2010

1Earthquake,

Magnitude 7.0, Haiti, January 12

2Earthquake,

Magnitude 8.8 Chile, March 11

3

Volcano Eruptions, Iceland, March 20

4

Floods, Rio de Janiero, April 5

5

Floods, Tennessee, April 30

6Floods, China,

May 107

Floods, Pakistan, July 26

8

Rare Tornado, Queens, Sept. 16

9

Landslide, Mexico, Sept. 28

10 Typhoons, Philippines, Oct.12-24

11

Typhoons, Myanmar, Oct.20-23

12

Earthquake, Magnitude 7.7

Indonesia, Oct. 25



Natural Disasters around the world in 2011

Earthquake Magnitude 7.1Chile , Jan 2

1

Earthquake Magnitude 7.0

Argentina , Jan 3

2 Major FloodAustralia , Jan 3

33

Flood 35 DeadBrazil , Jan 6

4

Great Earthquake and Tsunami

Magnitude 8.9Japan , Mar 11

5


Burma , Mar 23 66


Indonesia , Apr 3

7

Earthquake Magnitude 7.4Japan , Apr 7

8Tornado 47 Dead South Carolina ,

Apr 169

Volcano Iceland, May 21

1010

TornadoMassachusetts,

June 1

1111

EarthquakeMagnitude 7.8

New Zealand, July 7

1212

TycoonPhilippines, Dec 18

1616

Wild FireTexas, Sep 11

1414

Massive FloodBangkok, Oct 27

1515

Hurricane IreneSouth East US, Aug 26

1313



Your Organization

Disaster effect - Threats to Continuity

Utility Outage

Civil Disturbance

Fire

Construction

Water Leaks

Viruses

EnvironmentalConditions

Flood

TerrorismSabotage

EarthquakeTycoon

HackersHuman Error

EquipmentFailure

Land Slides

Natural Disaster

Human Intention Human Unintentional

Equipment / Environmental



“การดาํเนินธรุกิจในปัจจบุนั BCM เป็นสิ�งจาํเป็นต่อองคก์ร”

“การบริหารจดัการ Crisis เป็นการวดัศกัยภาพของ Brand”Source: BrandAge Magazine



Brand Value

Top Eight; the most value corporate brand in Thailand

กลุ่มทรพัยากร/พลงังาน

กลุ่มอตุสาหกรรม

กลุ่มสื:อสาร

กลุ่มการเงิน

กลุ่มสินค้าอปุโภคบริโภค

กลุ่มบริการ

กลุ่มอสงัหาริม ทรพัยแ์ละก่อสร้าง

กลุ่มสินค้าอาหารและผลิตภณัฑ์การเกษตร

339,944 MB

27,511 MB

172,798 MB

154,118 MB

5,311 MB

108,871 MB

164,995 MB

40,211 MB

ผลจาก ดร.กณุฑลี รื �นรมย ์และอาจารยศ์ภุกร ภทัรธนกลุ อาจารยภ์าควิชาการตลาด คณะพาณิชยศาสตรแ์ละการบญัชี จฬุาฯ



What business continuity means today

Business continuity has changed from a reactive, re covery-based practice to a proactive, risk-based on e

How does your organization measure up?

The future (2001 – )

Proactive

Business-centric

Focused on mitigation

Process-based

Continuous monitoring

Responsibility of board

The past (1980–2000)

Reactive

Technology-centric

Focused on recovery

Asset-based

One-time project

Responsibility of IT

Late 1980s Early 1990s Mid 1990s Late 1990s Mid 2000sEarly 2000s Late 2000s

Factors that drove the evolution of business contin uity

DR hit the corporate agenda in the mid 80s as businesses began to increasingly rely on mainframe computers.

The enthusiasm for DR started to wane as it became evident that a more proactive approach to risk mitigation was required.

Terrorist attacks of the early to mid 90s made firms realize that DR did not effectively mitigate risks. BC evolved as a result.With the technology boom and roaring economy of the late 90s, BC, although a standard business practice, was given little attention.

Global events have raised awareness that threats are not just physical; cyber, regulatory, and other threats have made BC a part of a risk management program

Business Continuity (BC) Planning Business Continuity ManagementDisaster Recovery (DR) Enterprise Resilience

Why business continuity matters to your organization more than ever today

Given the challenges of a global 24x7 business environment,

simply recovering your IT assets from a disaster is not enough

for your business to even survive, let alone thrive.

Today, business continuity is a complex, continuous

organization-wide program that requires active support and

involvement of top management.

A global economic recession has left your organization more vulnerable to shocks

Global flashpoints now threaten your organization wherever it has operations

Complex regulations demand that your business deliver ever-higher service levels

Physical disasters, both natural and technological, can now cost your business billions

Your business can no longer afford spiraling IT downtime costs

Pressure to deliver 24x7x365 has resulted in robust threat detection and resource mobilization techniques for foreseeable emergencies. Handling disruptions now becomes part of normal capabilities.



What is BCM?

Preparedness/Preventive: Preparedness is how we change behavior to limit the impact of disaster events. It is a continuous cycle of planning, managing, organizing, training, equipping, exercising, creating, evaluating, monitoring and improving activities

invocation of BCP

Incident Management Plan: Within minutes to hours: staff and visitors accounted for casualties deal with damage containment / limitation damage assessment invocation of BCP

BCP Response: Within minutes to days: contact staff, customers, suppliers, etc. recovery of critical business process rebuild loss work-in-progress

Recovery / Resumption- Back-to-Normal: Within weeks to months: damage repair / replacement relocation to permanent place of work recovery of costs from insurers.

1

2

3

4

Holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capacity for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value-creating activities.

BS25999

Establish target restoration time for critical operations to ensure

Prevent and avoid damage- Take precautions and plan to minimize damage and impact

Rapidly resume operations following any interruptio n to critical operations

- Take steps to resume operations as rapidly as possible - Establish target restoration time for critical operations to ensure

customers do not switch brands

A

B



Key Business Continuity Objectives

Business Continuity Objectives

Earnings/Profit protection

� Keeping the company in business

Earnings/Profit Protection

Protecting the enterprise’s financial commitments

Health and Safety

Protect health and safety of personnel

Viabilty

Keeping the company in business

Brand Protection

Avoiding public embarrassment and loss of credibility

Continuing New Business

Preserving the ability to sell in the marketplace



What managements are looking for from BCM?

CEO / COO / CTO • Reduce or avoid otherwise ruinous revenue losses• Protect critical data by leveraging infrastructure and support services• Ensuring the safety of employees and customers• Maximizing the security of physical assets • Protecting reputation and shareholder value

Risk Manager: • Improved threat awareness and mitigation control from time to time• Accelerating effective coordination, communication , and decision-making in a crisis• Meeting customer and regulatory demands• Improving the ability to respond to major incidents effectively and safely• Providing a better case when negotiating business interruption insurance premiums

Operation Manager • Improving business supply chain resilience• Determining and protecting time-critical business processes• More quickly and cost-effectively resume business and employee activities• Reduce downtime and increase employee productivity


Drivers for Business Continuity Management


Drivers for Business Continuity Management

Threats andRisks

Threats andRisks

Business Continuity Management is not about - or at least not only about - disasters but rather the strategic requirement for continuity. While the number of natural and man-made disasters increases the regulations, expectations, and demands are driving entities to prepare for disruptions from every source.

Resilience, Recoverability &

Availability

CustomerExpectations

CustomerExpectations

Laws and RegulationsLaws and

Regulations

Data andInformationAvailability

Data andInformationAvailability

Strong

Moderate

Weak

ShareholderValue

ShareholderValue

Reliable InitiativesReliable Initiatives

EnterpriseViability

EnterpriseViability

StandardsStandards

Strategic

Tactical



Why continuity matters today — a recessionary econom y

Recessionary trends heighten your exposure to risk. Does your business continuity plans reflect this?

Original risk profile

Lowered risk profile due to risk mitigation Lowered risk profile under normal conditions

Heightened risk profile due to erosion of defenses Lowered tolerance level – reduced resistance to shocksTolerance level under normal conditions

• Visualize the risks faced by your organization as a threat landscape. The higher the peak, the greater the risk. The red line represents your organization's risk tolerance limit.

• The light grey landscape is your organization's original risk profile. The dark grey landscape is your risk profile lowered by implementation of risk mitigation controls.

• Most risks are now below your organization’s risk tolerance limit.

• A recession may cause resources to be diverted away from continuity to focus on organizational survival.

• Your organization may need to deal with reduced workforce, shutdown of facilities, delayed maintenance or the loss of a vendor, supplier, or partner.

• This may cause an erosion of defenses, causing your organizational risk profile to increase, bringing several risks above the tolerance level.

• A recession may also reduce your organization's liquidity and earnings, reducing its ability to withstand shocks and disruptions.

• Your risk tolerance level is therefore reduced. Risks that could be tolerated are now above your organization's new tolerance level.

Under normal economic conditions Effect 1: Diversion of resources Effect 2: Reduced tolerance level

What does your organization need to do?

Source: “Continuity in Recession,” Continuity Central (www.continuitycentral.com)

With more to accomplish with fewer resources, your business continuity program must become more agile. Continuity plans must reflect the current state of the organization — its capabilities and risk tolerance. Use business continuity tools to automate continuity maintenance tasks and enhance both efficiency and effectiveness. Top management must understand the situation fully in order to act rapidly.



Two ways organizations should look at business cont inuity

• With a business continuity program in place, an organization can offer its customers a higher degree of surety about its level of service.

• In 2008, Vodafone UK achieved BS25999 certification (the British Standard Institute’s certificate for business continuity management). It used this to offer a formal assurance to its customers about its continuity capability, gaining significant competitive advantage over other operators (Source: Forrester Research).

• An effective response to a disaster has been shown to have a net positive impact on shareholder value. A study at Templeton College, Oxford, showed that companies that recovered rapidly from a disaster saw a net increase in their stock price (see right).

Business continuity as a plan for survival

Business continuity as a source of competitive adva ntage

Source: “The Impact of Catastrophes on Shareholder Value”, Rory F. Knight & Deborah J. Pretty

Your business continuity program is a means to surv ive — and to thrive

-20

-15

-10

-5

0

5

10

15

20

1 51 101 151 201 251

Days after disaster

Stock price performance after disaster

Cum

ulat

ive

Ret

urns

(%

)

RecoverersNonrecoverers

Do you have a program in place?A business continuity program is critical to your c ompany’s very survival.

Does your program give you an edge?A business continuity program can be a marketplace differentiator.

• 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. Of those companies, 50% filed for bankruptcy quickly.

• Of those businesses that experience a disaster and have no emergency plan, 43% never reopen; of those that do reopen, only 29% are still operating two years later.

• 75% of companies without business continuity plans fail within three years of a disaster

• Having a business continuity program in place is critical to the very survival of your company. Statistics unambiguously reveal that organizations which suffer a catastrophic loss and do not have a continuity plan in place are very likely to go out of business shortly after the disaster.

• Your continuity program needs to account for the possibility of crises affecting not just your own organization; your business’ survival could be jeopardized by a crisis that affect an important supplier, customer, vendor, utility, or community. Source: National Archives & Records Administration, Washington, D.C

“Managing Your Risk: – The Smart Approach to Protecting Your Business”, The Hartford Loss Control Department“Blindsided: A Manager’s Guide to Catastrophic Incidents in the Workplace” by Bruce T. Blythe



Spiraling costs of downtime

With dramatically high per-minute costs to business , can your organization afford IT downtime?

“Are you able to quantify the business loss from downtime incidents?”

What does your organization need to do?

To determine whether you are overspending (thus diverting resources from other IT projects) or under spending on continuity (continuing to put your critical applications at risk), you need to 1) assess the downtime costs for crucial business systems; 2) perform a risk assessment and a business impact analysis; 3) compare alternative business continuity strategies to determine benefits of each proposed solution.

Recovery planning resources need to be appropriately distributed amongst enterprise application, technology infrastructure, data center, and data recovery needs.

Source: Forrester Research Inc.

Pressures of serving customers globally on a 24x7 basis. Integration with supplier and partner IT systems. Accelerating time-to-market for products.

These factors mean that your business's mission-critical applications cannot be unavailable for even short time windows. This is especially true if your organization relies on the Internet to transact business.

Two in three organizations cannot quantify the loss to their business — either direct or indirect — to their business in case their mission-critical applications fail.

Balancing the organization’s tolerance for risk with a hard dollar assessment of the level of mitigation provided by solutions helps to align business continuity investments to provide the right amount of coverage for the right price.

Downtime costs regardless of industry are prohibiti vely high…

… but few organizations can estimate the losses to th eir business

How much does every minute of downtime cost?

Can your organization quantify how much to spend to avoid downtime?

Business Continuity Management (BCM)18


Relationship Between ERM & BCM

BCM

ERM

Identify Risks

Assess and Evaluate Risks

Integrate Risks

Response Risks Plans

IMP

Crisis Management Plan

BCP

DRP

Relocation

Media

Clean up

…

BCM = Business Continuity Management

DRP = Disaster Recovery Plan

ERM = Enterprise Risk Management

IMP = Incident Management Plan



The Benefits of Business Continuity

� Improve threat awareness

� Better protect of people

� Protect regulation and shareholder value

� Improve supply chain resilience

� Determine and protect time-critical business processes

� Meet customer and regulatory demands

� Accelerate effective decision-making in a crisis

� Improve the ability to respond to major incidents effectively and safely

� Provide a better case when negotiating business interruption insurance premiums

An effective business continuity program will



Key Success Factors

� The cost of doing nothing is too high� Enterprises must thoroughly reassess their

business continuity strategies and apply them to the distinctively different circumstances of situation

� Plans need to be developed or revised to incorporate the effect of a significant – and sustained – absence of staff, including critical staff members , absence of premises and technology

� Consideration must be made for different regulatory frameworks, cultural practices, and risk levels

� Dependence on government organizations and third parties must be analyzed and the risks mitigated

� Regular maintenance, review and testing of plans is not an option but a necessity

Key Success FactorsKey Success FactorsKey Success FactorsKey Success Factors



Deloitte has observed many common pitfalls as we have worked with 100+ organizations, we have aligned our efforts to mitigate against these common issues.

Common PitfallsCommon Pitfalls

• Companies often have an ineffective event escalation and declaration process in place

• Application acceptance criteria (testing checklists) is not adequately for application recovery plans

• Testing is often limited as a result of poor or insufficient level of detail within recovery procedures

• Recovery planning is typically seen as a discrete project or “point-in-time” effort, quickly resulting in out of date processes and procedures.

These factors combined necessitateimprovisation and trial-&-error recovery;

adding confusion, stress, uncertainty and time to the overall recovery process

Our Preventative MeasuresOur Preventative Measures

• Deloitte will collaborate with you to establish a robust and effective Disaster Program processes , including event detection, escalation and activation.

• Deloitte will develop recovery procedures with direct input from your personnel in order to provide an appropriate level of detail.

• Application validation checklists and system acceptance criteria will be developed as part of system recovery procedures.

• Deloitte will provide guidance on how to sustain recovery plan viability as part of the overall Disaster Recovery program.

Common Disaster Recovery Pitfalls



BCM Implementation: Lesson Learned

Recoverability and resilience are not built intoBusiness as UsualRecoverability and resilience are not built intoBusiness as Usual

DR Professionals at MOST companies are not consulted during a crisis or eventDR Professionals at MOST companies are not consulted during a crisis or event

Business ContinuityLessons Learned

All types of threats must be includedAll types of threats must be included

Copies of plans should be stored at a secure off-site locationCopies of plans should be stored at a secure off-site location

Increased uncertainty (following high impact disruption) may lengthen time to normal operations

Increased uncertainty (following high impact disruption) may lengthen time to normal operations

Companies struggle to roll up requirements and activitiesCompanies struggle to roll up requirements and activities

There are continued perceptions that BCM is a technology problemThere are continued perceptions that BCM is a technology problem

Business risk management is beyond a core competency and organizations have limited in-house expertise

Business risk management is beyond a core competency and organizations have limited in-house expertise

Alternate sites for IT backup should not be situated close to the primary siteAlternate sites for IT backup should not be situated close to the primary site

Telecommunications are essentialTelecommunications are essential

Key personnel may be unavailableKey personnel may be unavailable

Plans must be updated and tested frequentlyPlans must be updated and tested frequently

There is a gap in many organizations between manage ment expectations and the company's ability to continue business operations.



Why struggling to implement an effective BCM / BCP?

Challenges– Business processes have an increasingly greater dependence on applications and technology– Business has aggressive recovery time and point objectives– The complexity of the processes that need to be restarted have increased dramatically– The lack of paper records has increased the impact, financial and other, of losing data– Significant interdependencies between applications, systems, and business processes increase complexity of

recovery

Business Continuity Timeline

Serviceinterruption

Problemidentification

Normal processing and activity

Notification andcommunication

Relocate orreroutebusiness process

Manualprocesses

Restore voiceand data network

Configure, Provision, and Restore Data

Recoverapplications

Resumeand synchronizebusiness

Business

IT

Network

Potential dataloss

Time to recovery

Many companies struggle implementing an effective BC plan because of the complex coordination between business and technology components



Agenda





What’s on BCMS? Understanding the road map to BCM Certification.

Mr. Teeradej Vibulpatanavong , ITMS/ ISMS/ BCMS Product Manager Bureau Veritas Certification (Thailand) Ltd.

Copyright © Bureau Veritas Certification Thailand

What’s on BCMS? Understanding the road map to BCMS Certification.

Venue: Holiday Inn, Silom, Bangkok

Teeradej VibulpatanavongTeeradej VibulpatanavongQuality & IT Product Manager

Date: 10 May 12

แนะนํา Bureau Veritas Certification


Bureau Veritas at a Glance

►Created in 1828

►A global leader in conformity assessment services in the areas of

Asia Pacific & Middle East

22%

Americas18%

Africa 5%

Broad Geographic Presence1

assessment services in the areas of quality, health and safety, environment and social responsibility (QHSE)

Network of more than 700 offices in 140 countries

Over 26,000 skilled employees

►Eight global businesses providing a complete set of services

Services include: Inspection, testing, audit, certification, classification, risk management, outsourcing, consulting and training services

Marine 11%

Ind str

Government Services 8%

Consumer Products

22%

Europe22%

France33%

Eight Global Businesses1

3Understanding the road map to BCMS Certification

►Servicing 280,000 customers across a wide range of end markets

Inspection & In-Service

Verification13%

Certification 11%

HSE10%

Industry13%

Consumer Products14%

Construction20%

1. 2006 revenue breakdown.

Our Profession : QHSE Compliance

Reference Standard Action Deliverable

Assessment

Understanding the road map to BCMS Certification© - Copyright Bureau Veritas

Full Independencefrom any

Design / Manufacturing / Contracting / Insurance


A Balanced Portfolio of Activities

Marine ► Ship classification, ship and marine equipment certification, technical assistance and outsourcing services

Industry► Conformity assessment of industrial equipment and installations to regulatory or client specifications from

feasibility stage to de-commissioning► Services include design review, shop inspection, site inspection, asset integrity management, product

certification and related testing services such as non-destructive testing

Inspection & In-Service Verification (IVS)

► Periodic inspection of equipment and installations to assess conformity with regulations or client-specific requirements

► Services apply to electrical installations, fire safety systems, lifts, pressure and lifting equipment, and machinery

Construction► Conformity assessment of construction projects to local regulations and construction standards, from design

stage to completion► Services include design review, code compliance, technical control, on-site safety coordination, testing

of construction materials, asset management and technical due diligence services

Health, Safety and Environment (HSE)

► Inspection, audit, measurement and testing services in the areas of environment and health and safety ► Technical assistance and consultancy services to help companies define their HSE management strategy and

improve their performances

Certification► Certification of management systems and processes in the areas of quality, health and safety, environment

and social responsibility based on public standards► Second party auditing services based on customer-specific or Bureau Veritas standards


► Second party auditing services based on customer specific or Bureau Veritas standards

Consumer Products► Testing, inspection and certification of consumer goods including textile, hardlines, toys, electrical and

electronics► Factory audits, social responsibility audits and training services

Government Services and International Trade(GSIT)

► Government Services: Pre-Shipment Inspection, X-Ray Scanning, Verification of Conformity of imported products

► International Trade: Commodity quantity/quality assurance, automotive services

Eight global businesses providing strong growth and cross-selling opportunities

Our Logo

Logo Change

From To

Certification Mark Change


From To

Effective since 17 January 2007


มาตรฐานเก่ียวกับ BCM

Business Continuity Management System

Business Continuity

Result


y

System

Process


Business Continuity Management System



BCMBCM

Important Time-sensitive


Important Time-sensitive

Business Continuity Management System Standards

► BS 25999 Business Continuity Management Part 1 – Code of Practice – Published in November 2006

• Provides information about business continuity management and the key stages for implementation.

S fPart 2 – Specification – Published in November 2007

• An auditable standard to which organisations may be audited by Certification Bodies and become certified to. Includes all requirements for Management System implementation.

► ISO 22301 Societal security -- Preparedness and continuity management systems -- Requirements

Current Status is Final Draft International Standard (FDIS). It also has 2 parts.


Expected to be published in June 2012.

► TIS 22301 - 2553 Business Continuity Management Systems – Requirementsมอก. 22301 – 2553 ระบบบริหารความตอเน่ืองทางธุรกิจ - ขอกําหนด


BS 25999-1 Code of practice1 Scope and applicability

2 Terms and definitions

3 Overview of business continuity

11

1 Scope

2 Terms and definitions

3 Planning the Business Continuity

BS 25999-2 Specification

Business Continuity Management System Standards

ymanagement (BCM)

4 The Business Continuity Management policy

5 BCM Programme Management

6 Understanding the organization

7 Determining business continuity strategy

g yManagement System (BCMS)

4 Implementing and operating the BCMS

5 Monitoring and reviewing the BCMS

6 Maintaining and improving the BCMS

A Correspondence with ISO 9001, ISO 14001 and ISO 27001


8 Developing and implementing a BCM response

9 Exercising, maintaining and reviewing BCM arrangements

10

Embedding BCM in the organization's culture

BCMS

BCM

ความสัมพันธกับมาตรฐานระบบบริหารอ่ืนดาน IT

ISO 20000 IT Service ISO 27001 Information Security BS 25999 Business Continuity

ISO 31000 Risk ManagementGeneric approach to developing, implementing and continuously improving a framework to integrate

the process of managing risk into the organization’s overall governance, strategy and planning, management, reporting processes, policies, values and culture

13 processes in IT Service Management Systems (Information Security Management included)

Process : Information Security Management Systems

Process : Business Continuity Management System

6. Service delivery process 1.Personnel Security 1.Planning the BCMS

Service level management 2.Physical and environmental security 2.Implementing and operating the BCMS

Service reporting 3.Communications and operations 3.Monitoring and reviewing the BCMS

Capacity management 4.Access control 4.Maintaining and improving the BCMS

Information security management 5.System development and maintenance to take in account security

Service continuity & availability management 6.Information Business continuity management

Budgeting and accounting for IT services7 Relationship processes


Business relationship management Supplier management 8 Resolution processes Incident management

Problem management 9 Control processes Configuration management Change management10 Release process Release management process


มาตรฐานระบบบริหารอื่นท่ีมีขอกําหนดเก่ียวของกับ BCM

► ISO/TS16949: 20096.3.2 Contingency plans

prepare contingency plans to satisfy customer requirements in the event of an emergency such as utility interruptions, labour shortages,event of an emergency such as utility interruptions, labour shortages, key equipment failure and field returns.

► ISO14001: 2004 4.4.7 Emergency preparedness and response

to identify potential emergency situations and potential accidents that can have an impact(s) on the environment and how it will respond to them

d t t l it ti d id t d t


respond to actual emergency situations and accidents and prevent or mitigate associated adverse environmental impacts.

periodically review, periodically test

►OHSAS 18001: 2007 4.4.7 Emergency preparedness and response

Business Continuity Management and Quality Management

Disrupted business

QualityManagement Business

Continuity Management

Disrupted business circumstances!!!


Normal business circumstances.

BCM compliments Quality Management.


15

Relationships and Consideration on Part-1 & Part-2

Embedding BCM in the Organization’s Culture

ExercisingMaintenance

Understanding the Organization

BCMProgrammeManagementReviewing

Developing d

DeterminingBCM Strategy


andImplementing BCM

Response

ISO 22301 and its family

► ISO/FDIS 22301: 2012 Societal security -- Business continuity management systems --- Requirements

The international standard expected to be published within Q2 of 2012.

► ISO/FDIS 22300: 2012 Societal security -- Terminology

Same as ISO22301

► ISO/DIS 22313 Societal security -- Business continuity management systems – Guidance

► ISO/DIS 22398 Societal security -- Guidelines for exercises and testing

► ISO 22320: 2011 Societal security Emergency management


► ISO 22320: 2011 Societal security -- Emergency management --Requirements for incident response

► ISO/PAS 22399: 2007 Societal security - Guideline for incident preparedness and operational continuity management

► ISO/WD 22323 Organizational resilience management systems -Requirements with guidance for use


ISO 22301, its family, also other families

► ISO/TR 22312: 2011 Societal security -- Technological capabilities

► ISO/CD 22397 Societal security -- Public Private Partnership -- Guidelines to set up partnership agreements

► ISO/CD 22322 Societal security -- Emergency management -- Public warning

► ISO/NP 22315 Societal security -- Mass evacuation

► ISO/NP 22351 Societal security -- Emergency management -- Shared situation awareness

► …

► ISO/IEC 27031: 2011 Information technology -- Security techniques --Guidelines for information and communication technology readiness for business continuity

► ISO 28000: 2007 Specification for security management systems for the supply


► ISO 28000: 2007 Specification for security management systems for the supply chain

► REMARK: NP = New Work Item Proposal

CD = Committee Draft

FDIS = Final Draft International Standard

TR = Technical Report

ขั้นตอนในการกําหนดมาตรฐานของ ISO

NP

PWI

NP

CD

ISOWD


DIS

FDIS


Transition Policy

► ยังไมมี Transition Policy ที่เปนทางการออกมา

► คาดวา ISO 22301 จะออกมาภายในไตรมาศที่ 2 ของปน้ี

ISO 22301 ไดผานการลงมติแลว ในเดือนเมษายน และอยูระหวางการจัดพิมพ ซ่ึงจะใชป 2 ื ั ิเวลาประมาณ 2 เดือน นับตงแตการผานมติ

► คาดวากรอบเวลาในชวง transition จะอยูระหวาง 12 ถึง 18 เดือน หรืออาจจะเปน 3 ป

► การเปลี่ยนแปลงจาก BS25999-2 เปน ISO 22301: 2012 สามารถทําไดในชวงรอบการตรวจตดิตาม Surveillance Audit ในรอบการใหการรับรองเดิม

► อาจจะตองมีการตรวจประเมินเพ่ิม โดยเนนที่


ขอแตกตางของ BS25999-2 กับ ISO22301

ท้ังนี้ขึ้นอยูกับ ของเขต และ ขนาดขององคกร

ขอแตกตางหลักของ ISO 22301 และ BS 25999-2

► ISO 22301 เปนมาตรฐานตัวแรกที่ใชโครงสรางขอกําหนดของมาตรฐานระบบบริหารแบบใหมของ ISO (ซึ่งมาตรฐานเดิมอ่ืน ๆ จะมีการเปลี่ยนโครงสรางตาม)

► แมวาโครงสรางของ Management System จะเปลี่ยนใหม แตผูเชีย่วชาญบางคนใหความเห็นวา เน้ือแทแกนของ BCM ไมไดเปลี่ยนคนใหความเหนวา เนอแทแกนของ BCM ไมไดเปลยน

► เนนบทบาทผูนําของผูบริหารระดับสูง มากข้ึน

► เนนการวัด performance มากข้ึน

► เปลี่ยน Preventive action เปน actions to address risks and opportunities และยายไปอยูสวนตนของการวางระบบ

► เนนการสื่อสารทั้งภายในและภายนอกองคกรมากข้ึน


► ใหความสําคัญเก่ียวกับการแจงเตือนมากข้ึน

► รวมขอกําหนดของ Document Control และ Record Control ไวดวยกัน


โครงสรางใหมของขอกําหนดระบบบริหารใน ISO 22301

Introduction:

► Clause 1: Scope

► Clause 2: Normative reference

l d d f► Clause 3: Terms and definitions

Requirements:

► Clause 4: Context of the organization

► Clause 5: Leadership

► Clause 6: Planning

► Clause 7: Support


► Clause 7: Support

► Clause 8: Operations

► Clause 9: Performance Evaluation

► Clause 10: Improvement

กระบวนการใหการรับรอง


Bureau Veritas Audit Process

Preliminary Audit・・・Optional

Initial Audit

►Verification of BCMS Framework

Certification Audit

CertificateIssuedContinual Improvement

Re-certification Audit.

►Verification of BCMS Framework

Certification Audit

►BIA, Risk Assessment, BCM Strategy, BCP/IMP, exercise, audit, MR etc, verification of implementation

InitialAudit

Surveillance Audit

Preliminary Audit

Management System Audit Cycle


Surveillance Audit, Re-certification Audit・・・Same as other standards

Inquiry Consultation Estimation

ContractAudit

Certification Process

Application


Application

Audit Stage 1

Audit Stage 2

Contract Review:ScopeTime-scaleAudit team


Certification Surveillance


IBM：BS25999, ISO9001, ISO27001 Triple Certificate

Ali Dincmen, International Business Development Director – Bureau Veritas Certification France said “is one of the first IT Services companies in Europe to have obtained the two certifications BS 25 999 and ISO/IEC 27001:2005.”

Business Continuity and Recovery Services - Italy division obtained its first triple certification ISO 9001, ISO 27001, BS 25999

Client:

IBM B i

Norberto Colombo Italy Quality Program Manager of

For IBM, these certifications have internal and external benefits:

IBM clients and partners are assured of a commitment to quality and security

IBM demonstrates best market practices in IT environments that are well managed and provide the highest level of quality services.

One of the key factors that allowed the BCRS division to get certified in a very short time and with a minimum effort, has been the innovative approach to integrate his Information Security Management System (ISO/IEC 27001) and the IBM Global Management System (ISO 9001), already in place, with the new Business Continuity Management System (BS 25999).

IBM Business Continuity and Recovery Services - Italy division


Norberto Colombo, Italy Quality Program Manager of IBM said :

“I’m very pleased to report that another strategic goal has been reached by “Business Continuity & Resiliency Services (BCRS) Italy" in order to offer our clients a service even more qualified. This is an effective reason to capture business opportunities and to get a strategic advantage regarding national and international competitors.”

Accreditation Body Function

Accreditation Body ( JIPDEC )


( JIPDEC )

Certification/Registration Body

(e.g. Bureau Veritas Certification)

ISO Guide 62 and ISO 17021

BS 25999 2: 2007


BS 25999-2: 2007

ISO/IEC 22301: 2012Organization to be certified

(i.e. Client)


How do auditor find evidence ?


• Reviewing documents

• Looking at records

• Interviewing people at all levels

Observing practices and


• Observing practices and physical environment

NOTE: Can/should the auditor cover all people, documents and records during the audit?

Initial documentation review

(Adequacy, desktop, intent audit)In many instances it will not be possible to assess whether MS1

requirements are satisfied in principle from looking only at

the documents.

Auditors take holistic approach to assess the adequacy of MS

documentation (not just procedures)

=and other

BS25999-2 or

ISO 220301

t e docu e ts documentation (not just procedures). Current practice is to conduct this

activity on-site


audit criteria

Use checklist


Conformance or Implementation audit

=


Work practices

Work practices might not be documented in “written”

procedures or work instructions

Auditing activities

ISO 19011: 2011

Initiating Initialdocument Preparing for

the audit documentreview on-site audit

On-site auditing activities


Reportingon the audit

Auditcompletion

Auditfollow-up


การประยุกตใช BCM

ขั้นตอนการจัดทํา BCM

กําหนด Scope

ระบุ Key Products / Services

ระบุ Processes ท่ีสนันสนุน Key Products / Services

Business Impact Analysis

Risk Assessment


Risk Assessment

Risk Treatment

ซอมทดสอบจัดทํา BCP / IMP


Setting Scope（Example）

Service

Customer ＢCustomer Ａ

Activity３

Activity４

Outsourcer

ＣProduct ＢProduct Ａ

Activity１

Activity２

Activity５

ServiceＤ

Activity

Activity

Stakeholders

Senior Management


Activity６

Organization

Source：Good Practice Guideline 2008In the above diagram if it is decided that Product B and Service C are within scope of the programme then the shaded activities are necessarily fully or partly within the scope.

ＢＣＭ

4 คําถามงาย ๆ สําหรับ BCM

1 อะไรตองรอด?

Business Impact

AnalysisContinuity

Requirement A l i1. อะไรตองรอด?

2. ตองใชทรัพยากรอะไร?3. ตองเตรียมการอยางไร?4 ั่ ใ ไ ไ ?

BCP / IMP

t Analysis


4. มันใจไดอยางไรวาจะรอด?

BCM Exercising


หาจุดสมดุล


หาจุดสมดุล



Exercising, maintaining and reviewing

Full

Cost

Risk also !!!

Small rehearsals and tests

Medium rehearsals and tests

Large rehearsals and tests


Desk Check

Walkthrough

Simulation

and tests

Complexity

การปรับปรุงความสามารถดาน BCM ขององคกร



Understanding the road map to BCMS Certification© - Copyright Bureau Veritas 39

Thank you for your attention.

Deloitte BCM Methodology & Implementation: World Class Best Practices

Mr. Supharerg Khemngern , Manager –BCM Services, ERS Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.


Agenda






Deloitte Risk Intelligence – BCM Framework

Sustain and continuously improve

Policy & Governance

Analysis

Planning and Implementation

BCM Programme Maintenance

Roles & Responsibilities

Risk Assessment

Business Impact

Analysis

Business Continuity Strategy

Plan Developmen

t

Organizational Crisis

Management Plan

Corporate BCM Plan

Department BCM Plans

IT DR Plans

Training Testing Maintenance

Enterprise level Business units level

Business Continuity Policy & Governance

Business Continuity Strategy

Business Continuity Implementation

Business Continuity Sustenance

Board of Directors

Executive Management

BCM Department, Business Units and Corporate Support Functions

BCM Department



Deloitte Approach - BETH3 TAPBusiness Continuity Management/Continuity of Operat ions

1

2

3

4

5

7

6

8

9

Third Parties(Vendors, Customers, Service

Providers)

Third Parties(Vendors, Customers, Service

Providers)

Human Resources

Technology(Application, Data, Infrastructure)

Equipment

Building(Facilities/Utilities)

**Capabilities Assessment – Resiliency and Recoverab ility (CARR) Framework



Deloitte BCM Methodology v.s. BS25999

Analyze

CurrentState

Assessment

RiskAssessment

BusinessImpact

Analysis

Develop

GovernanceModel

Resilience &Recoverability

Strategy

BCMPlans

Documentation

Implement

Resourceacquisition &embedding

Training ofkey personnel

Testing of plans,procedures &assumptions

Assure

ContinuousImprovement

Reassessmentand Quality Assurance

Audit andcertification


Governance & Project Management



Description: Create the governance model for a systematic program for the management and sustainment of business continuity processes, including emergency response, crisis management, business continuity, and disaster recovery.

Key Outcomes: • BCM program mission statement & strategy• BCM organization including staffing model and roles & responsibilities for the program office, steering committee,

and working team comprising members of the business committee• BCM policies, standard, guidelines, and terminology definitions• BCM integrated into organization and IT change management processes• BCM training & awareness strategy• BCM program audit & compliance strategy• BCM program metrics & reporting process• BCM continuous improvement process

Benefit: • Executive oversight of the BCM capabilities• Mechanism to build and sustain BCM capabilities• Better understanding of BCM program roles & responsibilities

Dependencies: • Funding for BCM initiative

Stakeholders: • BCM program office ● Internal audit• BCM executive steering committee ● Legal• People & performance ● BCM representatives from the business

Monitoring and Control

� What qualitative benchmarking should be performed?

� How should periodic BCM progress reports be created and reviewed?

� What corrective action should be taken as key f indings are made?

� How should the organization ensure corrections take place?

Coordination and Compliance

� What process should be used to ensure compliance with BCM standards and obligations

� How should corporate BCM coordinate recovery activities between organizational units?

Allocating Capital

� How should limited resources be ef f iciently allocated?

� What capital is available for investment?

� What criteria should be used to dictate BCM investment decisions?

� What process should be used to review expenditures?

Leadership

� What is the overall direction for the business and related IT within the corporation?

� What are the cultural values regarding risk management?

� How should key stakeholders be represented?

BCM GovernanceDecisions

� What should the fundamental BCM operating principles be?

� What internal BCM standards, rules and protocols are needed?

� Aligning BCM methodology and standards to industry standards such as: BS25999, NFPA1600, BCI, and DRII

Policy and Standards

� What should the corporate business recovery strategy include?

� What should be the corporate IT recovery goals?

� How should BCM program management be measured?

Planning

Training & Awareness

Continuous Improvement & Quality Assurance

Standards Guidelines

Strategy

Policies

Audit&Compliance

Metrics & Reporting

Organization

Change Management

31





Deloittes’ point of view - BCM Organization


Preparedness Emergency Response Continuity Recovery / Back-to-normal

Safety & Security

Plan

Team

Timing

Incident Management

Crisis Management

Business Continuity Plan

Crisis Management Team

Incident ResponseFacility Management &

RecoverySalvage Operations

Employee Safety Loss Reporting Crisis Communication

Business Continuity Team

Business Process Recovery

Supply Chain Continuity Alternate Processing

Workplace Relocation Disaster Recovery Human Resources

Risk Management


Skill for BCM personnel

รอบรูใ้นธุรกจิองคก์ร

ทกัษะดา้นการบรหิารจดัการโครงการ

BCM

ทกัษะในการวเิคราะห ์และการจดัการปญัหา

ทกัษะในการถ่ายทอดความรู้

เขา้ใจในโครงสรา้งของการ

สั HงการและการสืHอสาร

เขา้ใจรายละเอยีดของเอกสารทีHเกีHยวขอ้ง

กบั BCM


Business Impact Analysis (BIA)


Business Impact Analysis

Change Management

Sample BIA Interview Form

Description: Conduct a business impact analysis of key business functions to measure the potential financial and operational impacts that could occur if a business process was unable to operate for an extended period of time for any reason. The business impact analysis will provide requirements for recovery and will prioritize business functions. After plans have been developed, validation of business impacts can occur to assess whether strategies and plans meet recovery objectives.

Key Outcomes: • Validated list of prioritized business functions and impacts• Recovery requirements for business functions including resources and dependencies

Benefit: • Helps prioritize business continuity planning activities and allocate scarce resources• Provides clearer understanding of business process priorities and expectations in the event of a disaster • Ability to create business continuity plans with a clear understanding of business requirements• Potentially identify cost saving opportunities in current operations

Dependencies: • BCM governance

Stakeholders: • BCM program office• BCM representatives from the business



Impa

cts

($)

Time (Hours)

$10M

$50M

Event RTORPO

Workarounds

Data Synch

0 72+4824126

$0

$1M

$5MFinancial Tolerance Limit (FTL)

Recovery Time

Objective (RTO)

Recovery Time

Objective (RTO)

Process A

Process B

Timeline

MTPD / RTO / RPO

Key Objectives• Business process review,

interdependencies and priorities• Critical applications• Recovery Time Objective (RTO)• Recovery Point Objectives (RPO)• Minimum operating requirements

38


RTO vs RPO

SecsMinsHrsDays Secs Mins Hrs

Data Loss Downtime

Years Days

Capture on Write

Disk Backups

Synthetic Backup Real Time

Replication

Tape Backups

Vaults

Protection Methods

Archival Snapshots

Recovery Methods

Tape Restores

Roll Back

Instant Recovery Disk Restores

Surgical Search & Retrieve

Enabling Technologies

Tape & Automation

Continuous Data

Protection

De-duplication

Remote Replication

Content Indexed Archival

Point-in-Time

The business objectives for resilience are established when the tolerance for data loss and downtime become very short – seconds to minutes. These objectives become, in effect, SLAs for Information Technology.


Risk Assessment (RA)


Risk Assessment

Description: Conduct a high-level risk assessment to identify major credible natural, man-made, and technological threats to the organization’s key resources, their likelihood and potential impact, and recommendations to mitigate risks to an acceptable level.

Key Outcomes: • List of critical resources• List of credible threats to those resources• Likelihood and impact of those threats on critical resources• Residual risks and recommendations to reduce residual risks to an acceptable level

Benefit: • Understanding of critical resources and key threats to the organization• Risk-based approach to allocating business continuity risk mitigation resources

Dependencies: • BCM governance

Stakeholders: • BCM program office ● Enterprise risk management• BCM representatives from the business

Change Management

Threats Vulnerability Forewarning Duration Score Risk In Scope

Natural Flooding Low Yes Short 3 Low No Wind damage / tornado High Yes Short 5 Moderate Yes

Man-made Explosion Vary High No Short 6 High Yes Hazardous waste Medium No Short 5 Moderate Yes Extortion Low No Intermediate 5 Moderate Yes

Terrorism Medium No Short 4 Low No Technical Malfunction or failure of hardware Medium No Short 5 Moderate Yes

Malfunction or failure of system software

Medium No Short 5 Moderate Yes

Sample Threat Chart



Risk Assessment - Tool

1. Collect Business Continuity Survey + Internal data + External data

2. Scoring tool for Risk assessment

3. Once Business Impact Analysis scoring tool will be finalized, the final score will be given on the Heat Map

5

4

3

2

11 2 3 4 5

Ris

k as

sess

men

t sco

re


Availability & Recovery Strategies


Availability & Recovery Strategies

Change Management

Cos

t of s

olut

ion

Time to functional availability

Mobilefacility

Remoteaccess

Dedicated workspace

Acquisition

Commercialwork area

Pre-stagedworkspace

Continuum ofavailability strategies

WeeksMinutes HoursSeconds Days

$$$

Sample Availability Strategy Analysis


Description: Devise strategies based on various availability and recovery alternatives to meet business continuity requirements identified during the risk assessment and business impact analysis

Key Outcomes: • Decisions on most risk and cost-effective availability and recovery strategy• Resource requirements and implementation needs to realize strategy

Benefit: • Guide the organization in determining the appropriate measures and resource requirements to meet stated objectives

Dependencies: • Risk assessment• Business impact analysis

Stakeholders: • BCM teams from the business functions• BCM program office


Sample of selecting Strategy Process (Internal Reco very)

When making a decision about internal recovery, the following systematic approach may be used to filter different alternatives. The picture on this slide is an illustrative example showing that options are gradually narrowed until the best option is determined.


Sample IT Recovery Strategies

Recovery Time Objective (RTO)

Possible Alternative Strategy Actual Implementation

Nearly Immediate (Infrastructure)

• 100% resilient infrastructure

• Fully redundant, failsafe WAN/LAN technology

• Fully secured redundancy

• In-house developed/Outsourced

• Redundant Power

• Multi-path, multi-carrier communications providers

• Real time rerouting of network

• Alternate data center for highly critical applications

Less than 1 hour • Clustering/Active-Active & Clustering/Active-Passive

• Redundant Power/NICs/HBA

• Data Replication/Data Mirroring or RAID

• Continuous Monitoring

• Develop/contract for alternative data center out of region (hot-site)

• Full infrastructure redundancy

• Data mirroring/Off-site Vaulting

1 - 24 hours • Clustering/Active-Active




• Use alternate data center (hot-site)

• No Active-Passive Clustering

25 -48 hours • Clustering/Active-Passive




• Specific Application Tape Recovery

• Asynch Tape Backup at Redundant Site

• Asynch Remote Vaulting Disk

• Mirroring of SAN Remote Vaulting to Tape (Avoid data corruption)

2 – 7 Days • Redundant Power/NICs/HBA



• Tape recovery – Dedicated tapes

• Remote Tap Vault at 3rd party site

• Remote Tape Vault at alternative location

7 – 14 Days • Redundant Power/NICs/HBA



• Tape recovery – Shared tapes with drop ship for hardware


Business Continuity Plan (BCP)


Business Continuity Plans

Change Management

Sample Business Continuity Plan


Description: Create business continuity plans that describe the actions and resources necessary to achieve the objectives of the organization’s recovery strategy. These procedures are documented in formal plans and provide guidance through clearly-defined and action-oriented tasks.

Key Outcomes: • Clearly-defined and action-oriented business continuity plans• BETH3 resource requirements for business resumption• Employee and third party notification procedures• Manual workaround procedures• Key dependencies

Benefit: • Indicate what needs to be done during a disruption in order to minimize decision points at the time of the disruption

Dependencies: • Availability & Recovery Strategies

Stakeholders: • BCM teams from the business functions• BCM program office


Plan Documents

Emergency Response PlanFocus on people and property. Includes escalation, notification, life safety, physical security, technology, and emergency operation center procedures. Addresses the immediate after-effects of the event.

Crisis Management PlanFocus on strategic leadership, executive protection and response, succession, public relations, legal, employee death or injury, major supply chain disruptions and other critical situations. The Crisis Management team takes responsibility from the Emergency Response team and becomes active prior to declaration of a “disaster”. The Crisis Management Team is responsible for “declaring the disaster”.

Business Continuity PlanFocus on critical process or business unit, core competencies, key personnel, RTOs & RPOs, alternative locations, command & control, vital records protection, data security and workarounds & interim operations.

Disaster Recovery PlanFocus on restoring technology & business infrastructure. It includes critical systems restoration, RTOs and RPOs, communications, data recovery, and recovery sites.



Structure of BCM Documentation

Facility BCM Binders contain recovery information

Stored offsite and electronically

Distributed at time of disaster

Operation cards to be posted on boards to facilitate/track recovery

Facility BCMBinders

Recovery Managem

ent Procedure

s

Facility Level Process Level

Operation Level

Damage Assessme

nt Procedure

s

Overall BCMPlan

Process Recovery

Coordination Cards

Operation Recovery

Cards

Return to Normal

Procedures



Crisis Event Timeline


Prevent / Preparedness

Incident Management Plan (IMP)

Crisis Management Plan (CMP)

Business Continuity Plan (BCP)


Sample - Consequence of Documentation – Crisis Event Timeline


Awareness & Training


General Awareness

Change Management

Training

Education

Awareness

General Employees

SpecializedRoles

General employee awareness is a component of the ov erall training and awareness strategy


Description: Raise general employee awareness about business continuity risks through internal communications campaigns via executive messages, intranet postings, etc. Lays the foundation for training about specific roles and procedures in the event of a disruption.

Key Outcomes: • Business continuity awareness materials• Increased level of awareness about business continuity risks and importance of disaster preparedness

Benefit: • Promote a corporate culture of disaster preparedness • Lays foundation for specific business continuity plan training

Dependencies: • None

Stakeholders: • BCM program office• Corporate communications


Business Continuity Plans Training

Change Management

Description: Train everyone involved in the recovery and continuity processes so they are aware and equipped to fulfill their responsibilities.

Key Outcomes: • Training materials• Trained resources prepared to execute the business continuity plan • Sufficient cross-training to allow business resumption even in the absence of specific key personnel

Benefit: • Promote a corporate culture of disaster preparedness and provides detailed knowledge necessary to carry out business continuity activities

Dependencies: • Implemented Business Continuity Plans

Stakeholders: • BCM teams from the business functions• All employees from the business functions• BCM program office• Training & development



Implement – Training & Awareness

Business Continuity

Management

Compelling, Shared Vision

Measures,Milestones

& Evaluation

Power & Politics

Communications& Engagement

Training& Performance

Support

OrganizationalInfrastructure& Processes

Stakeholders with authority, power and/or influence lead and visibly support the communication & education effort

Articulation of a compelling, shared vision and business imperative for BCM communication & education

Associates are well-informed about BCM

Establishment of short- and long-term measures of success

Development of a framework that supports ongoing BCM communication & education

Key employees are enabled to perform their BCM roles and responsibilities

BCM Program Communications & Education Strategy


BCM Exercising


BCM Exercising

Change Management

Description: Examine the validity of recovery and continuity plans through a testing exercises using rehearsals or other similarly rigorous testing techniques. IT disaster recovery should be incorporated into business continuity testing as possible. Third-parties may be involved in testing exercises as appropriate.

Key Outcomes: • Test schedules, plans, and support materials• Testing result• Enhanced business continuity plans based on learnings from the test

Benefit: • Identifies issues with the recovery and continuity plans during a test rather than during an actual disruption • Supports training and awareness objectives• Enhances coordination between business, IT, shared services, third-parties in advance of an actual disruption

Dependencies: • Implemented Business Continuity Plans

Stakeholders: • BCM teams from the business functions• Key employees from the business functions• BCM program office



Sample - Exercising & Testing

Desk Check

Walk-Through

Simulation

Exercise Critical Activities

Exercise Full BCP

Frequency Complexity & Cost

High

High

Low

Low

1

2

3

Step

Set KPI

To consider frequency / number of practitioner / time for preparing or investment for define type of BCM plan testing

Define objectives of testing align with plan objectives

KPI in each category will be different by type of BCM plan testing


Sample - BCM Implementation Plan


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/th/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication


Weerapong Krisadawat

Partner

Tel: + 66 2676 5700 Ext. 6211

Email: [email protected]

BCM Case Studies & Lessons Learned

Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.


Agenda


Deloitte BCM Methodology & Implementation: World class best

practices




2011 BCM Survey Results

Perceived benefits of having BCM Reason for not having BCM

Data Source: The 2011 BCM Survey: CMI

Common elements of effective BCM Products & Services used when developing BCM



2011 BCM Survey Results (Continued)

Barrier of developing BCM in organization

Objectives of developing BCM

Conflicting Priority

Protect reputation

Lack of Time



CFO Survey Japan 20113/11 Triple Disaster Impact - Crisis Management and Resilience

This survey is an initiative of the CFO Program Japan which focuses on foreign companies in Japan and was conducted between 29 March and 12 April 2011 (Version 2 includes data until 30 April 2011).

Presently, around 110 companies are actively participating in the various program initiatives and were invited to partake in this survey. The majority are D300 and MFSC clients with subsidiaries in Japan.

This survey summary will be used as input for a CFO Roundtable discussion on 20 May 2011. Detailed discussion topics to be finalized (potential topics can include: crisis preparation, crisis management, business continuity and recovery, impact of 3/11 on Japan). The discussion will be summarized and published after 20 May 2011.



Impact on Business and Operations

• Of those companies that were allowed to disclose their financial impact, TMT and Automotive companies report the highest negative impact on their revenues and profit for 2011 mainly due to supply chain disruptions and need for alternative suppliers

• Many companies in these industries are still not in a position to assess the impacts at the time of closing this survey

• Larger FSI companies (100M JYN and more annual revenue) and especially insurance companies report significant revenue impacts and even larger drops in profits

• The Life Sciences companies are overall the least impacted and besides one, none of them faces any supply chain breakdowns

• The participating energy company expects even revenue increase thanks to larger demands for their products

• Some Consumer Businesses, especially the participating luxury retailer, still finalize their assessment of the overall impact however, their biggest worry is a possible change in consumer buying behavior partially due to mandated changes in opening hours and transportation availability

• The biggest common headache expressed is the unclear power situation which will force companies to change their office hours, work places and shifts and have even some re-think their location



CFO Survey of foreign companies in Japan - Participa nts

Job titles Revenue of foreign subsidiary in Japan

Job title “other”: Country Executive and Group Japan CFO

Foreign companies in Japan who are actively participating in the Deloitte CFO Program were invited to share their views on the triple disasters

Source: Deloitte Japan CFO survey 1H2011 (38 completed and 27 partially completed questionnaires)



CFO Survey of foreign companies in Japan – Industrie s

Industry segments

• Financial Services and Life Sciences represent the largest share of participating companies • 35% are US based, followed by 14% German and 14% French companies

Headquarter Country

Source: Deloitte Japan CFO survey 1H2011



Anticipated Impact of Triple Disasters on Japan Rev enue for 2011

Expected Decline in Revenue

• Some participants are still assessing the impact and provided directional inputs only • 21% expect no impact on their revenue at all and 55% estimate declines between 1 and 10%, however

still 13% expect drops up to 25% of their revenue

• The manufacturing and technology industry representatives report the highest expected impact

• Some FSI companies can be found in the mid-range of 10-15% and most Life Sciences report very low or no impact

Survey Participant Comments “Other”: - FSI:

- Top line may shrink by 10-15% due to slower economy

- Small- Closed block, so no new revenue but continued in-

force M&E fees impacted due to lower equity markets- Too early to estimate - Delay in executing selective transactions

- TMT: - Too early to say since supply chain ripple effects not

known yet- Short term negative, long term unclear based on

possible rebuilding investment- Life Sciences:

- Difficult to estimate right now- Consumer Business:

- Currently being assessed



Financial Impact – Financial Services Industry

Profit Impact – rather different

– About one half of the respondents expects their profits to drop between 0 and 10%

– However, one third of the respondents estimates profit declines between 20 and 50% and these are mostly the large FSI companies

Revenue Size of Participating FSI Companies

• 56% of the participating companies are considered large – revenue over 300 B JYN

• Revenue impact

– One half of the respondents expect a revenue drop between 10-15%

– Other half expects no or only small impact on revenue



Financial Impact – Life Sciences

Profit Impact – similar to Revenue Impact

– About 15% expect even an increase in profits this year

– Around 60% expect a decline in profits between 1 and 8% which is very similar to their expected revenue decline

– Around 15% estimate a profit decline closer to 10%

Revenue Size of Participating Life Sciences Companie s

• Close to 60% of the participating life sciences companies have annual sales between 100 and 300 B JYN

• Revenue impact

– About one third of the participating companies do not expect any impact on their revenue at all

– Around 60% expect some drop between 1 and 5% and around 15% estimate a decline closer to 10%, but nothing more



Impact on Human Capital – Overall very limited

Impact on Human Capital

Fortunately, 75% report no impacts on their personnel, however 10% have to cope with some loss

A potential longer term impact for foreign companies:

•It will be increasingly more difficult to motivate and incentivize talent and staff from Headquarters or other subsidiaries to take on assignments in Japan due to uncertainties related to nuclear accident and power outages, among other

•This can worsen the already existing shortage of talent in many areas of the operations, and especially in finance and accounting



Impact on overall Operations – Limited

Impact on Operations

Again fortunately 65% report no impacts on their operations, however 23% have been scaling back their operations and 3% even performed shut downs

“Other”:- One plant near Fukushima Daiichi abandoned- Few damages to retails stores - Nothing new, but cost is in using back up systems that were

prepared


• Companies scaling back their operations can be found in several industries with manufacturing and retails outlets

• These facilities can be damaged and ongoing face power shortages hinder regular operating hours

Note: Foreign companies with manufacturing sites could not always assess the impact of the triple disasters on their operations and therefore the largest group of participating companies in this survey do not have manufacturing sites in Japan.



Impact on overall Supply Chain – Mainly Supplies and Suppliers

Impact on Supply Chain

The biggest supply chain disruptions are related to missing / delayed supplies and affected suppliers

Input on “Other”:- Impacted but full extend of ripple will only be known in a few months- Find suppliers for discontinued own production- Delay in production process at supplier level - Primary concern is supply of electricity

• The full extend of the impact on the supply chains are still to be sees, however the continued power black outs and shortages will prevent companies from business as usual

• Changes to operating hours, shifts and work places are considered and partially already implemented to workaround the power issue



Impact on Infrastructure and Operations

Impact on Infrastructure and Operations

75% report some impact of the triple disasters on their customers and intermediaries (e.g. agents, physicians, etc.) and most companies are actively support them as part of their recovery activities

Note: the large portion of impacted customers and intermediaries can be due to the represented companies in the survey (e.g. relatively large number of Financial Services and Life Sciences companies).

Comment: other Service Providers- General economic and currency impact possible



Expected Recovery

65% expect their subsidiaries to fully recover within the next 6 months, however this optimism is not shared for the Japanese economy

Japan Subsidiaries

Japan Economy

Expected Recovery of Subsidiary vs. Japanese Econom y




Some reasons for fast recovery of subsidiaries

“Increased demand for our products due to the triple

disasters” –French Construction Company

“Limited impact – Kansai HQ and small sales in most

affected region”– UK Life Sciences Company

“Major business done ex-Osaka” – German Life Sciences Company



Six key areas for improvement are identified:

Business Continuity Plans

Tests and Exercises

Policies / Guidelines

Technology Upgrades

Location Re-considerations

Emergency Supplies

Since less than half of the participating companies have business continuity plans in place, it is not surprising that this is a key area for improvement going forward



“This time we did a small pilot for moving a subset of a single operation to Osaka. We learned of a few challenges in this area in case we need to relocate more. … family challenges, constrained hotel capacity, etc. We have prepared stronger contingency plan for a relocation of HQ operations.”CFO of US TMT Company


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/th/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication


Weerapong Krisadawat

Partner

Tel: + 66 2676 5700 Ext. 6211

Email: [email protected]