BCM Training Part 1 - Introduction To BCM - Business Risk & Management

Business ContinuityIntroduction

2 April 12, 2023

About Andrew…

Grew up in Australia Lived for past 6 yrs in Singapore 9 months in Thailand

Education Bachelor of Education Grad Cert Enterprise Management Grad Diploma in Rehabilitation Masters of Business Administration (MBA)

Employment Numerous, including… Hewlett Packard Regional Security/BC/Claims

Mgr Genzyme – Regional Security & BC Director Consultant: BC/Security/Investigations/Risk

[email protected]: 0818935329

Sections

1. Introduction2. Event/Disaster/Crisis/Accidents3. What is BCM?4. Typical company BCM5. BCM Standards & certification

3 Copyright © Business Risk & Management Pte Ltd

4 April 12, 2023

Business Continuity Management (BCM)

• Events of late have demonstrated that negative consequences can befall any organisation

• We’re seeing a shift from “it won’t happen to me” to developing a Business Continuity approach

• BCM legislation makes is being implemented in some countries making BCM a legal requirement

• Risk Management is a key component in Business Continuity Management

Threats

ReputationShareholder Value

Stakeholders SatisfactionCorporate Governance

Safety Net

CrisisManagement

DisasterRecovery

BusinessContinuity

5 April 12, 2023

“Event"…in BC, it means an existing or unusual occurrence in the natural or human-made environment that may adversely affect human life, property, or activity to the extent of a disaster.

6 April 12, 2023

Types of Events

Physical Operational3rd Party

Outsourcing e-Business

Fire Flood Earthquake Tornado Hurricane Snow storm Utility failure Bombing Riot/Civil unrest Terrorism Kidnapping Theft SARS/other viruses Hazardous

chemicals

Contract breach Legal issues Disruption to supplier No operating capacity Loss of JIT inventory Disruption of

distribution Unstable political

environment Regulatory

requirement issue Disruption at

manufacturing Loss at CM site

Theft at 3rd party warehouse

Gaps in 3rd party risk assessment

Fraud commited by 3rd party employees

Disruption of IT services/support

Disruption critical databases, networks

Disruption of Telecomms services

Computer viruses Cyber terrorism,

Hacker attacks Breach of info

security, confidentiality

Types of events

What ‘events’ have you experienced?


What’s the chance of an ‘event’ happening? If it does happen, what is the impact?

© Business Risk & Management Pte Ltd 8

What is Risk?

Exposure to a chance of loss or damage;

"We risked losing a lot of money in this venture" "Why risk your life?“ Gamble: take a risk in the hope of a favourable outcome; "When you buy these stocks you are gambling“

Risk concerns the expected value of one or more results of one or more future events.


Risk quotes…

Risk is part of every human endeavour.

Progress always involves risks. You can’t steal second base and keep your foot on first. Frederick Wilcox

A ship is safe in harbour, but that's not what ships are for.

You've got to go out on a limb sometimes because that's where the fruit is.


Type 1 - Risk score calculator

11 Copyright © 2010 Accenture All Rights Reserved.

Type 2 - Risk Matrix

13 April 12, 2023

What is Business Continuity Management?

Unplanned events can have catastrophic effects and the

disruptive incidents can come from accidents, criminal

activity or natural disasters.

An organisation’s effort to limit the effects of a crisis by

providing uninterrupted operations and services

during this period.

Provides a basis for planning to ensure the long-term ability

to continue trading following a disruptive event

Not something developed at the time of a crisis

Phases of a Crisis


time

Recovery

CM

ER

1 min

2 hrs 6 hrs 1 day 1 wk 1 month

inte

nsity

?

15 April 12, 2023

Does BCM impact on a company’s share price

Initial loss of shareholder

value is approx 5%

for recoverers

Initial loss of shareholder value is approx. 11% for non-

recoverers

The non-recoverers suffered a net cumulative

impact of almost 15% up to one year after the

catastrophe

* = Sourced from an Oxford Executive Research Briefing Paper ‘The Impact of Catastrophes on Shareholder Value’ Rory F. Knight & Deborah J. Pretty 1996.

How long can a company survive without a BC Program?

80% of businesses affected by a major incident either never re-open or close within 18 months (Source, Axa)

Companies that aren't able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute)

According to Contingency Planning Research & Strategic Research Corporation: 43% of U.S. companies experiencing disasters never re-open, and 29% close within 2 years

Within two years after Hurricane Andrew struck in 1992, 80 percent of the affected companies that lacked a business continuity plan failed (FEMA)

According to a recent Touche Ross study, the survival rate for companies without a disaster recovery plan is less than 10%!



70 percent of companies go out of business after a major data loss (Source, UK DTI)

Research by IBM (Varcoe, 1993) showed that 80 per cent of organisations without relevant contingency plans who suffered a computer disaster went bankrupt

In 2008, 40 per cent of organizations suffered disruption due to a loss of IT.



In relation to California…In fact, statistics indicate that 50% of businesses which sustain interruptions of a week or more due to problems at the primary site never recover. Recent media reports also indicate that an estimated 25% of the companies stricken by the California earthquakes were forced to close their businesses. http://www.drj.com/index.php....

Despite recognizing the threat posed by diseases such as influenza, 53 per cent of organizations still have no plans to help them cope during a pandemic. Source: The Business Continuity Management Report, 2009, Chartered Management Institute


Despite the fact that the financial cost to our companies could be significant….


“FAILURE IS NO LONGER AN OPTION”

7% of companies with revenue over $5bn experienced a business

disruption that cost the business over $5m during the last 12 months….

…at one company this cost was potentially worth up to $180m of $180bn business, each year

Source – Continuity Insights/KPMG 2003

Cost to Business

< $100k

$100k - $500k

$500k - $1m

$1m - $5m

> $5m

BCM global standards

UK: British Standards Institution (BSI), BS 25999

Thailand: 22301-2553

North America: National Fire Protection Association NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.

ISO: ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity management

Australia/NZ: HB 292-2006 : A practitioners guide to business continuity management. In 2010, Standard AS/NZS 5050 was released.

ASIS: ANSI/ASIS SPC.1-2009 Organizational Resilience: The ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use American National Standard


Why get certification? The best reason for wanting to implement international standards is to

improve the efficiency and effectiveness of company’s operations.

Having implemented, companies can either: No further action Complete a Self-Declaration Have the management system certified by an independent auditor

Deciding to have an independent audit of the system to confirm that it conforms to BC25999 is a decision to be taken on business grounds

Reasons might include… Recognition Marketing Legal requirements


Questions?


23 April 12, 2023

Stop Check

Documents

BCM Training Part 1 - Introduction To BCM - Business Risk & Management