Willis Business Continuity Management September 2002 1

Continuity Management is

Business SurvivalBusiness Continuity ManagementJanuary 2004

2 Willis Business Continuity Management January 2004

Continuity Management is

Business Survival

Business Continuity Management israpidly developing in importance andmany organisations now regard it as a'must have', not an optional extra. It ishowever a truism that manyorganisations and individuals havereached that conclusion after beinginvolved in an event, and even moreso, following the horrific tragedy of11 September 2001.

The reality is, however, that only 30% ofcompanies view Business ContinuityManagement as an integral part of theirbusiness planning.

It is not therefore surprising that TWOout of every FIVE organisations willnot survive a disaster or a majorservice interruption.

Of the remaining three, ONE will be outof business within two years.

Business Survival

It is about managing the risks thatthreaten the survival and prosperityof an organisation – a strategy for asecure future.

All organisations are actively engaged inmanaging the multitude of risks faced inthe 21st Century. However, the time,effort and resources given to each isoften not proportional to the severity ofthe potential outcome, particularly whenmeasured in business impact terms.

Continuity Management is

Only TWO out ofFIVE businesseswill survive.

Willis Business Continuity Management January 2004 3

Continuity Management is

Business Survival

After

Traditionally, Business Continuity Management (BCM),has been focussed on disaster planning i.e. a process tomanage the immediate aftermath of a major incident.Whilst this is an essential element, it is only a part of acomprehensive Business Continuity Plan.

A brilliant plan is no answer to a disaster that shouldhave been prevented from happening. An effectiveprocess therefore critically examines the whole 'riskcycle' of a business from the prevention of an untowardevent occurring through to reinstating its operationshould all be totally lost. It looks at before, duringand after.

The 'survival' rationale for a Business Continuity Plan iscompelling and is further enhanced by other factors:-

• Centralisation of processes and services to maximumefficiency and cost benefits, reducing resilienceopportunities;

• Customer service and reliability requirements thatare unforgiving to stoppages, outages or delays;

• Growth in e-commerce and overall ITdependency;

• Corporate Governance requirements for 'lossmitigation' strategies which are being reflected downthe whole supply chain;

• Instantaneous vulnerability of share prices to badnews;

• News, media and public's insatiable appetite fordisaster or crises events;

• Ever increasing range of threats to the business,many being from external sources;

• The main cause of a crisis is not big-bang issues but'soft' and slow-build events (65%).

During

Before

4 Willis Business Continuity Management January 2004

Continuity Management is

Business Survival

Identify what can causean accident or incidentthat could seriouslyinterrupt or harm thebusiness, the potentialthreats – a BusinessImpact Analysis.

Evaluate whether allreasonable preventivecontrols are in place.

Before:

Are appropriate measuresin place to stop anincident escalating, if itstarts, in the form ofemergency plans.

If the event was notforeseeable, or theemergency measureswere not entirelysuccessful, will the rightpeople make the rightdecisions in the crisis.

During:

Rapid and appropriateaction is needed tosalvage as much aspossible.

Determine what needs to bedone to continue criticalfunctions withintolerable time scales.

Consider what pre-planningis necessary to rebuild orreinstate the business.

After:

The BCM process attempts to balance the pre-incident and the post-incident measures

Industrial Accident – Fire, explosion or failuresNatural Disasters – Flood, lightning or subsidenceCasualties – Deaths or multiple fatalityEnvironmental – A release to air, water or landProduct Safety – Product contamination, recall or extortionDiscrimination – Employee or social responsibilityRegulatory Action – Prohibition or prosecutionViolence – Terrorism, kidnap or espionageIT systems – Outages, security or Internet dependencyWhistleblowing – Public release of damaging information

Threats

Prevention Resilience

Willis Business Continuity Management January 2004 5

Continuity Management is

Business Survival

Willis has extensive experience infacilitating and assisting clients toproduce and test Business ContinuityPlans. A team of experienced riskmanagement advisers can tailor anassistance programme to meet yourneeds. It is essential that your own staffhave a significant involvementin the process to ensure their buy-in tothe outcome and confidence in the abilityto manage an adverse event effectively.

Our services include: -

• Production of Business ContinuityPlans

• Auditing existing plans• Development of existing disaster

plans into Business Continuity Plans• Development of threat specific

emergency or contingency plans• Testing of plans• Training staff, including media

management• Review of suppliers' Business

Continuity Plans• Business interruption insurance

reviews

Services

Comprehensive and effective BusinessContinuity Plans are vital to support andoptimise risk financing and insuranceprogrammes, particularly BusinessInterruption and other related covers.Such plans demonstrate to underwritersa commitment to mitigating loss andevidence the strategy and implementationprocesses. They are vital to obtaining bestpossible terms and optimum premiums. Inaddition they inform the decision makingprocess in selecting the most appropriatebasis of cover, including:-

• 'first loss' options• indemnity period• additional increased cost of

working cover• customer and supplier

dependency limits• utilities or denial of access extensions

Business Continuity Plans that encompassbalanced 'preventive and resilience'strategies further enhance a widerinsurance risk profile, assisting instabilising insurance costs long term.

Risk Financing and Insurance

Where to start?

A new company, new facility or major extension provides the opportune moment to undertake the whole exercisefrom both Threat and Business Impact Analysis, right through to building in resilience strategies. It has the time tostand back and balance preventive and resilience aspects for an optimum blend from day one.

In the case of an existing company or facility, there will already be in place a range of preventive controls and thepriority will therefore often be to build in some resilience strategies. This will usually take the form of an initial CrisisManagement Structure together with Disaster Plans to cater for the 'obvious' critical functions, making best use ofexisting resources and ready options. In the fullness of time the full evaluation of the whole 'risk cycle' and the'balancing' can be undertaken with refinement of the plans as appropriate.

Please contact a Continuity Management and Security (CMS) member in your local Willis officefor further advice.

6 Willis Business Continuity Management September 2002

Continuity Management is

Business Survival

Willis Limited

Ten Trinity SquareLondon EC3P 3AXUnited KingdomTelephone: +44 (0) 20 7488 8111

www.willis.com

Member of the General Standards Insurance CouncilRET/652/02/09