Hisham Moustafa & Simon Doherty

7/31/2019 Hisham Moustafa & Simon Doherty

1/37


2/37

H is h a m M o u s t a fa , R is k M a n a g e m e n t A d v is e r , V M I AS im o n D o h e r t y , R i s k M a n a g e 'm e n t A d v is e r, V M I A

T h e B C j o u r n e y i n t h e V P S


3/37

Todayrs themes 2010 VMIA survey results - A snap shot of the Victorian Public

Sector Be maturity 'Awork in progress' - assisting the public sector to build Be

maturity Observations, common chaLLenges, learnings and themes from

sector work to-date.


4/37

W h o a r e t h e ' V M I A ?The YMIA offers a comprehensive range of risk management and insurance services to morethan 4,500 clients including:

Redu ;CO T0 1 II C i il il j i- fR l ii k10 GOVER .NMEN I iI '

Victorian Government departments Statutory authorities and agencies Public health institutions Community service organisations.

To meet this diverse qroup of clients' needs, the YMIA has adopted an operating model thatseeks to reduce the total cost of risk (TCoR)to the State and to its clients.This model leverages the combined strength of the VMIA's three integrated roles of being:

Adviser to Government Risk management adviser State insurer.

Reodu;C8Total COSlofRlskto CLiEto'S


5/37

V M I A B C M s u r v e y : W h a t d id i t s h o w u s ?C o n d u c t e d la t e N o v e m b e r 2010


6/37

(1" '11 BO The l8 I . dne ! ls { ( ]n t in u iW t~'a~iaDernerrt S!J~ zen(1" '11 BO The l&. !s i ness { ( ]n t i nu iW t lanaDernerrt S!J~ ~(il~

The support is there: 61 % EW BCM alre ad y an e stablis he d priority. 90% adequate Snr Mgt involvement and commitment 35% BCM es tablish e d Sy+ (27% 8 (112), 26% in place 3-4y (2.2% 8CI12). 66% EW BCM activities we lll s u pporte d by sn r management's commitment.

Plan s in place but n o t c omp re h e n s iv e: 58% BCPs developed & EW (73% BCll1&12(Gov)). 35% clearly articulated and current plan

C ris is M an a'gem en t P la n. Some BCP e lemen ts are a lre ady in p lace as part of BAU , e.q, DRP , ERM p ro ce d ure s , off-site

of records etc


7/37

CM ,l ll lC l T h e B 'u s ir ne s s ( on tt in : ui ty M a :n o ,g :e m en t S u rv e y 2 0 11eM,! sc I T h ~ B 'u s ir n e ss ( on t ri n ui ty M a n ., g, eme n t S u rv e y 2012

2010 V M IA B C M s u r v e y : W h a t d id i t s h o w u s ? ( r o n ' t )The quality and understanding:

On ly 59.5% had a comprehensive understandinq of their key interruption risks 45% indicated the ability of HCM to support the org was 'Somewhat effective'

BCM pro fe ss iona ls : In-house development of BCPs (69% ) BCM part of job d escrip tion (38%) 52% have no SCM FT or PT professlonals within their org BCM faUs within RM corp function (39%).

A shinning Light: For the most recent business interruption, recovery objectives were completely met by48% of respondents and service LeveLswere completely maintained by 47% ofrespondents (BCI 74% 2011 79% 2012).


8/37

V P S o r g a n is a tio n s t h a t h a v e a c t i v a te d B C P s o r C M P s in l a s t 12 m o n t h s ( t o s u rv e y ) .54%


9/37

2010 V M I A B C M s u r v 1 e y : W h a t d i d i t s h o w u s ? (cent)Tech related:Commun i ca ti on f ai lu r IT/technology (hardware, software fa~LLJre)Security breach

Suitt environment:Serv ice provider/supply chain fai lureUt il it y outage (power , gas, water )~a.cilities fa ilure/rnove

VMIA 2010 BCI 2011 BCI 201234.5% 20% 24%32.,8% 34% 39%3.4% 4% 6%

VMIA 2010 BCI 2 01 :1 1. BC 12 0J 1. 26.9%

60.3%12.1%19%16%26%

15%14%20%

Natural envi ronment :Human error/man-made disaster (e.g. f ire, accidents)External ernerqencles/natural disaster {e.g. bush fires" f lood}

VMI,A 20106. .9%

37.9%


10/37

2010 V M I A B C M s u r v e y : W h c

T ech re La te d:Communication failureIT /te ch noLogy (h ard ware , s oftw are fa ilu re )S ecu rity bre ach

VM IA 2010 BC I 2011 BC I 201234.5% 20% 24%32.8% 34% 39%3.4% 4% 6%


11/37

112

l012%~%1 %

Natural environment:Human error/man-made disaster (e.g. fire, accidents)E xte rn aL em erg en cie s/n atu ra L d is as te r (e .g. bu sh fire s, flood )

VMIA 2 0 1 06.9%37.9%

B C I 2 0 1 14%64%

B C I 2 0 1 26%

49%


12/37

Built environment:Service provider/supply chain failureUtility outage (power, gas, water)Facilities failure/move

V M I A 2 0 1 06.9%60.3%12.1%

S C I 2 0 1 119%16%26%

N cH lEx

B C I 2 0 1 215%14%20%


13/37

W h a t s h o u l d b e k e e p in g t h e V P S u p a t n ig h t ?


14/37

BCI survey: Horizon Scan 2012Sector Top three' threats

Financial Services 1. Unplanned IT/Telecom outage ( 8 0 % ) , 2. Cyber attack (7'1%) & 3. Databreach (68% ) .Information & 1. Unplanned IT/Telecom outage (8110/0).,2.,ata breach (77%,) & 3. CyberCommunication attack (750/0).Professional services 1. Data breach (66%), 2. Unplanned IT/Telecom outage (65%) & 3. Cyberattack (60%).Public administration 1..Adverse weather (74 % ),2., Unplanned ITlTelecom outage ( 6 0 % ) &Human illness (60%)Manufacturing 1. Supply chain disruption (76%), 2. Unplanned IT/telecom outage (7'1%) &3. Product safety incident (53%).Health & sociiallcare 1.Adverse weather ( 6 9 % ) , 2. Data breach (69%) & 3. Unplanned IT!telecom outaqs ( 6 3 % ) .Utilities 1. Cyber attack (820/0),2. Adverse weather (81% ) & Interruptiion to utilities

supply (77%).CM I B cl The Business CcntinLlity t - teneqemem Siul"Y'e'j1Mi


15/37

B C I i m e l h e

bsi. . -. ! M I' 1! ~ . , . _


16/37


17/37


18/37


19/37

'~ ~~/' b } " ' ( , "i l ''.'.. ,'

' .j'


20/37


21/37

-2002 2003 2004 2005 2006


22/37


23/37

2005 2006 2007 2008 2009


24/37

Victorian GovernmelltRisk ManagementframeworkMar(h2.oU


25/37

'Vict,orian GovernmentR.lskManagementFrillilleworl{MardJ 2011

Intem'at ionalO rg an iiza Uo n fo rStandardizat ion


26/37

B C I i m e l h e

bsi. . -. ! M I' 1! ~ . , . _


27/37

C h a l l e n g e s r e m l a i n i n g


28/37

M a n d a te a n d c D m m i t m e n t

1UtJl!!~~! ! ~~~ :: : . "" In"",

I n t e g ra ti n g B C M

E x e r c i s i n g

F it ti n g i t i n> The Compliance, Risk, Quamy,

Busine5; Co"ti~uity, OHS Mar"gr"> A 'busynes culture

Keep the plans alive!


29/37

M a n d a t e a n d c o m m i t m e n t


30/37

The busiiness continuity plan (Marsh)http://Www..nstghts_mlarsh_coml

EmergencyII"spo:r1lselan

Crisis management!communication plan

Time objective


31/37

F i t t i n g i t i n The Compliance, Risk, Quality,

Business Continuity, OHS Manager A 'busyness' culture


32/37


33/37

xernsms


34/37

Keep the pLans aLive !


35/37


36/37

K e y m e s s a g e s Orgs should monitor their key interruption risks 90% said senior mngt commitment was adequate BCM listed as an accountability in position descriptions - 38% Shift from zilch or compliance to quality and sustainabiUty isrequired P olicy environment progressing, as are Standards and Guidelines Support and networks is out there Lack of capability and/or resources though some maturity Mandate, integrate, fit it in, keep it simple, exercise, keep it alive


37/37

Documents

Hisham Moustafa & Simon Doherty