www.pwc.com

Business Resiliency

Business Continuity Management -

January 14, 2014

PwC

Agenda

• Key Definitions

• Risks

• Business Continuity Management Program

• BCM Capability Assessment Process

• BCM Value Proposition

• Q&A

2

PwC

Key Definitions: The Concept of BCM

• The capability of resuming operations after a significant unplanned event.

• Preparedness and exercise / practice are the keys to success

• Business Function Resource prioritization (dependencies analysis) based onimpacts to:

o Technology: data center contents destruction, software malfunction, technologyprovider outage

o Facilities: earthquake, fire, flood, wind damage, municipal utilities outage, terrorism,political strife

o People: pandemic, political strife, terrorism threat, labor action, impact from natural /man-made event

o Key Third Parties: technology, financial, personnel, transportation and maintenanceservice provider outage

• Aligned to Enterprise-wide Risk Management and overall business strategies.

3

PwC

Key Definitions: BCM Elements

Business Continuity ManagementProcess of identifying, preventing, preparing and responding for events thatmay disrupt business activities.

Crisis ManagementCommand and control over the response to make criticaldecision and drive communications both internal and external

BusinessContinuityContinuity ofcritical businessfunctions at anacceptable levelduring anincident.

DisasterRecoveryRestoration ofbusiness servicesand systems (ITand Data) duringan incident.

EmergencyResponseImmediate firstresponseactivities toprotect lives andlimit damage.

ContingencyPlanAll hazard plansfor specificresponse tocatastrophicevents.

4

PwC

Risks: Why is BCM Relevant Today

• Stakeholder and Board concerns about the level of preparedness

• Concentration of critical functions in fewer locations

• Negative brand and reputational impact

• Investors want to feel confident

• Reduced workforces / ‘optimization’

• Limited capital availability

5

Crisis

Consolidationand

Globalization

TechnologyAdvancement

ReputationalConcerns

Regulatory andIndustry

Standards

BusinessRequirements

BCM Drivers• Thinly populated and high-velocity supplychains and inventories

• Increase in frequency and severity of manmade and natural disasters

• High reliance on enterprise systems (24/7)

• Mergers, acquisitions and divestitures

• Disconnect between IT recovery capabilities & business unittechnology availability requirements.

• Regulatory and rating agency pressures

PwC

Risks: BCM Deployment

• Traditionally focused on emergency response for workforce management, supplychain disruptions and transportation incidents, as well as IT disaster recovery.Elements of external crisis communication are also found.

• Interruption risks that impact corporate functions are infrequently covered.

• If a recent (less then 3yrs) ‘Business Impact Analysis’ and ‘interruption RiskAssessment’ have not been performed, management likely has a low awareness ofhow function interruptions will impact the enterprise.

• Functions potentially needing more rapid recovery and interim interruptionoperational procedures include:

• Corporate and Business Unit Management functions

• Cash management / Payables, Payroll

• Transportation and Logistics Management

• Human Resources

• Vendor management

6

PwC

BCM Program: Characteristics of a BCM Program

7

Assessment and

OwnershipPlanning and

Deployment

Training and

Awareness

Exercise /

Testing

Business Continuity Management

• Critical Asset Inventory

• Enterprise Risks/Impacts

• Program Guide

• Steering Committee

• Integrated plans (ERP,BCP, DR and CMP)

• Tools for plan enablement

• Enhanced for specific events

• Easy to use and update

• Progressive exercise(crawl, walk, run)

• Frequency leveraged intoexisting lifecycle events

• Report results (Sr Leaders)

• Formalized TrainingEasy/Simple (annual updateand renewal)

• Frequent Awareness sessions

• Embedded BCM culture

PwC

BCM Program: BCM methodology

MaintainDevelopmentStrategizeAnalyzeInitiate

Staircase Methodology is a five-tiered approach to business continuitymanagement that is supported by numerous tools allowing a set of servicesrelevant to successful programs.

Recovery strategydevelopment

Project planning &kick off

Risk Assessment &Business ImpactAnalysis

Implementation &maintenance

Plan & recoverycapabilitydevelopment

People

Crisis Management

Process

Business Continuity

Technology

Disaster Recovery

Strategic Command andControl: Develop a unifiedcommand and controlmechanisms for eventidentification, evaluation,escalation, declaration, planactivation and deactivation.

Keeping the business running:Develop recovery strategies andcontinuity plans for criticalbusiness functions required tosustain an acceptable level ofoperation during a significantbusiness interruption.

Keeping the technologyoperational: Identify theresiliency strategies for therequired essential informationtechnology infrastructure,hardware software and dataduring crisis.

8

PwC

BCM Program: Understand the Business

9

Initiate

• Develop program governance

• Establish planning assumptions

• Establish steering committee and program team

• Develop program plan

• Plan tools and approach to meet the organizational culture and requirements

Project planning

• Review the organization’s strategic plans

• Existing documentation reviews (policy, procedures, controls, org)

• Questionnaire and Surveys

• Interviews and Workshops (Gather data and train)

Discovery

PwC

BCM Program: Risk and Business Impact AnalysisThis is the key core component of the BCM process!...Quantify Risks and Impacts

10

Surveys, one-on-one

meetings,

facilitatedsessions,executive

managementvalidation

What is theBusinessimpact?

100 percent of processes– “Useful Many”

20 percent of processes– “Critical Few”

Critical functions

Identification of supportingtechnology services, vitalrecords, facilities, personnelrequirements, internalinterdependencies and criticalthird-parties.

Business functions,assets and systems

Analyze

PwC

BCM Program: Determine Recovery Solutions

11

Strategize

• Identity recovery capability gaps

• Integrate and finalize recovery requirements

• Recommend risk mitigation measures

• Review and assess current strategies

• Identify and price recovery strategy alternatives

• Evaluate recovery vendors if needed

• Quantify critical resources by function and develop recovery time line

• Quantify and qualify appropriate recovery options

• Management checkpoint – review options and select recovery strategy

• Develop implementation procedures for selected strategy

Recovery strategy development

PwC

BCM Program: Design and Build the Program andPlans

12

Development

• Establish planning assumptions

• Determine plan tools and approach to meet the organization’s requirements

• Document plans and procedures for organization or individual business processes

• Develop emergency action and crisis management procedures

• Develop recovery and communications plans (IT and Business)

• Develop migration procedures (IT and Business)

• Develop operational procedures (IT and Business)

• Document recovery team procedures (IT and Business)

• Identify assessment and change triggers

• Develop recovery plan testing strategy

• Develop training strategy, procedures and plan

• Management checkpoint

Plan and Recovery Capability Development

PwC

BCM Program: Operate and sustain the BCMProgram

13

Maintain

• Facilitate implementation

• Embed and Integrate BCM into end-to-end program management

• Develop and conduct testing, training, and maintenance processes and tools

• Conduct simulations and plan enactment

• Revise and validate BCPs/DRPs/CMPs

• Develop maintenance processes to support plans and capabilities

• Periodic program assessment, benchmarking and maturity ranking

Implementation and Exercise Testing

•Buildingunderstanding

•Confirm strategyand plancomponents

Table Top

•Test that strategycomponents andplan elements workindividually

Component •Practice real-timeresponses

•Test actualstrategies

•Build confidence

Simulation

PwC

BCM Capability Assessment Process

• BC program policiesand standardsdocumented

• Detailed businessimpacts and risks ,quantified

• Fully documented plansup-to-date withdependencies (internaland external)

• Detailed plans forfailover and failback ofall critical systems aredeveloped

• Employees aware ofprogram and involvedin drills to successfullydemonstrate recoverywithin stated RTOs

• Pre-definedmaintenance triggers inplace and followed forautomatic plan updates

• Formal test schedule

• No designated sponsor

• No risk assessment /BIA

• RTOs not beenidentified

• Business recoverystrategies notdocumented

• No maintenance ortesting,

• Steering committeeexists

• Risk assessment / BIA

• Application RTOsdefined

• Limited documentation

• Limited BCM vs ITneeds and capabilities

• Limited programtesting

• Training procedures inplace and documented

• Program sponsorship

• Assessments

• Business RTO andApplication RTAoptimized

• Framework forrecovery & restorationestablished

• Critical dependencies

• Documentation not bevalidated for all plans(EAP, CMP, BCP)

• Testing occurs withcommunications toolsto be used duringrecovery

• Objective programreview occursperiodically

• A culture of businessresiliency exists and isembedded in the day-to-day operations.

• Importance of BC isapplied to externalparties

• Robust testingperformed throughoutthe year includingtests with key vendorsand ad-hoc/surprisetests

• Change management,risk management,SDLC and trainingprograms have BCMcompliance gates

• System is in place tomaintain employeecompetency forperforming recoveryresponsibilities

• Senior managementreviews the programat pre-determinedintervals againstdefined metrics

Level 1

Level 2

Level 3

Level 4

Level 5

RiskAssessment

BusinessImpact

Analysis

Policy &Governance

Business &Technology

RecoveryStrategies

PlanDevelopment,

Documentation&

Implementation

Testing

Sustainability /Maintenance

Training &Awareness

Review

Our operational preparedness reviewsbenchmark against BCM leading practices

14

PwC

BCM Value Proposition

Reduces the impact of business interruptions through careful advanceplanning on key services and processes through the identification of“mission critical” business processes and supporting resources (cost-effective and practical).

Ensures rapid availability of management decision-making capabilitiesand communication.

Balances recovery strategy options between real estate costs and physicaldiversity protection - cost-benefit balance addresses competing technicaland business priorities (objective approach).

Reduces risk of potential loss of customers, brand reputation, revenueand assets.

Potentially enhanced risk profile with insurance carriers, affecting:Property, BI, CBI, Extra Expense, D&O, E&O coverage/premiums.

Reduced risk and improvement of recovery times.

15