Click here to load reader
Upload
dinhdan
View
212
Download
0
Embed Size (px)
Citation preview
Willis Business Continuity Management September 2002 1
Continuity Management is
Business SurvivalBusiness Continuity ManagementJanuary 2004
2 Willis Business Continuity Management January 2004
Continuity Management is
Business Survival
Business Continuity Management israpidly developing in importance andmany organisations now regard it as a'must have', not an optional extra. It ishowever a truism that manyorganisations and individuals havereached that conclusion after beinginvolved in an event, and even moreso, following the horrific tragedy of11 September 2001.
The reality is, however, that only 30% ofcompanies view Business ContinuityManagement as an integral part of theirbusiness planning.
It is not therefore surprising that TWOout of every FIVE organisations willnot survive a disaster or a majorservice interruption.
Of the remaining three, ONE will be outof business within two years.
Business Survival
It is about managing the risks thatthreaten the survival and prosperityof an organisation – a strategy for asecure future.
All organisations are actively engaged inmanaging the multitude of risks faced inthe 21st Century. However, the time,effort and resources given to each isoften not proportional to the severity ofthe potential outcome, particularly whenmeasured in business impact terms.
Continuity Management is
Only TWO out ofFIVE businesseswill survive.
Willis Business Continuity Management January 2004 3
Continuity Management is
Business Survival
After
Traditionally, Business Continuity Management (BCM),has been focussed on disaster planning i.e. a process tomanage the immediate aftermath of a major incident.Whilst this is an essential element, it is only a part of acomprehensive Business Continuity Plan.
A brilliant plan is no answer to a disaster that shouldhave been prevented from happening. An effectiveprocess therefore critically examines the whole 'riskcycle' of a business from the prevention of an untowardevent occurring through to reinstating its operationshould all be totally lost. It looks at before, duringand after.
The 'survival' rationale for a Business Continuity Plan iscompelling and is further enhanced by other factors:-
• Centralisation of processes and services to maximumefficiency and cost benefits, reducing resilienceopportunities;
• Customer service and reliability requirements thatare unforgiving to stoppages, outages or delays;
• Growth in e-commerce and overall ITdependency;
• Corporate Governance requirements for 'lossmitigation' strategies which are being reflected downthe whole supply chain;
• Instantaneous vulnerability of share prices to badnews;
• News, media and public's insatiable appetite fordisaster or crises events;
• Ever increasing range of threats to the business,many being from external sources;
• The main cause of a crisis is not big-bang issues but'soft' and slow-build events (65%).
During
Before
4 Willis Business Continuity Management January 2004
Continuity Management is
Business Survival
Identify what can causean accident or incidentthat could seriouslyinterrupt or harm thebusiness, the potentialthreats – a BusinessImpact Analysis.
Evaluate whether allreasonable preventivecontrols are in place.
Before:
Are appropriate measuresin place to stop anincident escalating, if itstarts, in the form ofemergency plans.
If the event was notforeseeable, or theemergency measureswere not entirelysuccessful, will the rightpeople make the rightdecisions in the crisis.
During:
Rapid and appropriateaction is needed tosalvage as much aspossible.
Determine what needs to bedone to continue criticalfunctions withintolerable time scales.
Consider what pre-planningis necessary to rebuild orreinstate the business.
After:
The BCM process attempts to balance the pre-incident and the post-incident measures
Industrial Accident – Fire, explosion or failuresNatural Disasters – Flood, lightning or subsidenceCasualties – Deaths or multiple fatalityEnvironmental – A release to air, water or landProduct Safety – Product contamination, recall or extortionDiscrimination – Employee or social responsibilityRegulatory Action – Prohibition or prosecutionViolence – Terrorism, kidnap or espionageIT systems – Outages, security or Internet dependencyWhistleblowing – Public release of damaging information
Threats
Prevention Resilience
Willis Business Continuity Management January 2004 5
Continuity Management is
Business Survival
Willis has extensive experience infacilitating and assisting clients toproduce and test Business ContinuityPlans. A team of experienced riskmanagement advisers can tailor anassistance programme to meet yourneeds. It is essential that your own staffhave a significant involvementin the process to ensure their buy-in tothe outcome and confidence in the abilityto manage an adverse event effectively.
Our services include: -
• Production of Business ContinuityPlans
• Auditing existing plans• Development of existing disaster
plans into Business Continuity Plans• Development of threat specific
emergency or contingency plans• Testing of plans• Training staff, including media
management• Review of suppliers' Business
Continuity Plans• Business interruption insurance
reviews
Services
Comprehensive and effective BusinessContinuity Plans are vital to support andoptimise risk financing and insuranceprogrammes, particularly BusinessInterruption and other related covers.Such plans demonstrate to underwritersa commitment to mitigating loss andevidence the strategy and implementationprocesses. They are vital to obtaining bestpossible terms and optimum premiums. Inaddition they inform the decision makingprocess in selecting the most appropriatebasis of cover, including:-
• 'first loss' options• indemnity period• additional increased cost of
working cover• customer and supplier
dependency limits• utilities or denial of access extensions
Business Continuity Plans that encompassbalanced 'preventive and resilience'strategies further enhance a widerinsurance risk profile, assisting instabilising insurance costs long term.
Risk Financing and Insurance
Where to start?
A new company, new facility or major extension provides the opportune moment to undertake the whole exercisefrom both Threat and Business Impact Analysis, right through to building in resilience strategies. It has the time tostand back and balance preventive and resilience aspects for an optimum blend from day one.
In the case of an existing company or facility, there will already be in place a range of preventive controls and thepriority will therefore often be to build in some resilience strategies. This will usually take the form of an initial CrisisManagement Structure together with Disaster Plans to cater for the 'obvious' critical functions, making best use ofexisting resources and ready options. In the fullness of time the full evaluation of the whole 'risk cycle' and the'balancing' can be undertaken with refinement of the plans as appropriate.
Please contact a Continuity Management and Security (CMS) member in your local Willis officefor further advice.
6 Willis Business Continuity Management September 2002
Continuity Management is
Business Survival
Willis Limited
Ten Trinity SquareLondon EC3P 3AXUnited KingdomTelephone: +44 (0) 20 7488 8111
www.willis.com
Member of the General Standards Insurance CouncilRET/652/02/09