Risk

IBM Business Resilience & Continuity Services

2006 Offerings © 2005 IBM Corporation

Preparedness, Mitigation, Response, Recovery

IBM Crisis Response Team

Risk & Continuity Management Services

OCHA & IBM Confidential © 2003 IBM Corporation

OCHA: COOP IBM Crisis Response Team

IBM 20062006 Offerings

Changing EnvironmentToday’s Risk & Crisis Management Challenges• Expanding Risk Exposures – natural & man made

• Natural Disasters have continued to increase in intensity and impact.• Our Critical Lifeline Infrastructure (power, water, telephone) is rapidly aging • The effects of a low probability, high impact terrorism event can not be ignored

• Insurance Coverage Limitations• Business Interruption Premiums have significantly increased since September 11• Coverage Levels have Decreased • Minimal acceptable coverage standards have Increased • Business Owners are forced to accept, own, and manage higher levels of risk

• Critical Facility Consolidation• Close proximity of critical facilities increases the risk of a catastrophic shut-down

and loss• Competitive pressure and consolidation can place “all the eggs in one basket”




Changing EnvironmentToday’s Risk & Crisis Management Challenges

• Changing Social & Financial Standards• “Enron” type operations or ignoring known risks is not acceptable to stockholders,

customers, employees, or regulators. • Accurate record keeping and reporting is mandatory• Preparedness is expected, “Failure is not an option”

• Legal Regulations & Governance Issues• Continued increase in Legislative and Regulatory Actions: Sarbanes Oxley, etc.• Major penalties for non-compliance: Fines, Jail

• Department “Stovepipes”, Incentives, Measurements• Effective Risk Management must cross ALL departments and functions• Internally focused department incentives and measurements can be detrimental

• Reputation and Competitive Health• You can not purchase insurance to protect against Loss of Reputation

or Loss of Market Share




Risk & Crisis Management ServicesCustomer Executive Focus Items:

• Identification of Risk and Operational Exposures

• Build the capability to ensure continuous delivery of essentialbusiness services during times of crisis

• Protect critical facilities, personnel, equipment, records, assets

• Reduce risk and mitigate potential disruption to operations• Protect reputation, maintain competitive posture• Balance risk mitigation benefits Vs. cost• Implementation of “minimal standards” and “best practices”• Identify and eliminate “stove pipe” roadblocks to preparedness• Build a Disaster Resilient Business




Risk & Crisis Management Services

Economic Benefits of Risk Management & Mitigation

• Maintain insurance policy minimal standards of protection• Maximize Cost Vs. Benefit return on mitigation investment• Protect stockholder (owner) value

• 2 year Congressional Study: mitigation investment

A business can save $4 for every $1 invested in Mitigation

• Building a disaster resilient business will reduce costs, limitexposures, and maintain operational continuity while protectingproperty and people.




Risk & Crisis Management

Pre-Disaster - “EVENT” - Response - Recovery

Preparedness& Mitigation

Continuity of Operations &Continuity of Government

Business & CommunitySurvivalCost vs. Benefit





IBM Pre-Disaster Services (Preparedness & Mitigation)

Integrated Vulnerability & Continuity Assessment (IVA)Emergency Equipment Acquisition ServicesCustomized Services




Integrated Vulnerability & Continuity Assessment

• The IVA is an on-site risk assessment, documentation review, customizedreporting, and re-validation engagement process.

• The IVA will increase the client’s level of preparedness while reducing thepotential cost and impact of a crisis.

• The IVA draws on proven field experience to identify operational & physicalsingle points of failure and develop appropriate mitigation measures .

The IVA is a high value FIXED PRICE service offering.

The IVA is one of IBM’s most effective, requested and proven riskmanagement and consulting service capabilities. The IVA provides asolid foundation for constructing a disaster resilient operation.




Integrated Vulnerability & Continuity Assessment (IVA)

The Integrated Vulnerability & Continuity Assessment review (IVA) addresses Continuity of Operations, Resiliency, Vulnerability and Mitigation measures as they apply to business operations, a specified critical site, or mission-critical functions within a site. The main elements of the IVA are as follows:

1. Identification of potential single points of failure, problem areas or risks that could seriously impact vital business operations or functional capabilities including secondary exposures that may not be readily apparent.

2. Document exposures, findings and the recommended actions to reduce risk and improve the continuity and disaster resiliency of critical operations and facilities.

3. Schedule and conduct an on-site follow-up Validation Review to help ensure critical exposure areas are being addressed and included as part of an on-going resiliency process.





Integrated Vulnerability & Continuity Assessment (IVA)– The IVA methodology is comprised of six main components:

–– 1.) 1.) Documentation ReviewReviewWe will ask to review existing disaster notification, response, recovery, and continuity of operations plans. We will also ask to examine the facility electrical and mechanical single line drawings looking for readily apparent potential single points of failure. Prior study or site analysis information will also be reviewed if available.

– 2.) Site Walk-Thru The on-site walk-thru will be conducted by a minimum of three members of the IBM Crisis Response Team and is usually completed in two days. The team members are certified industry experts who have conducted multiple reviews and have managed major crisis events worldwide. The team will look for items that have proven to be problem areas in the past while suggesting actions to correct identified exposures.





Integrated Vulnerability & Continuity Assessment (IVA)– 3.) Strategic Interviews

During our on-site review interviews will be scheduled with department managers and operations personnel that have strategic knowledge in the following areas:· Financial and operational impact of an outage· Critical operating functions and linkages· Interdependencies of business functions and departments· Direct and indirect business impact contingencies· Regulations and legal contingencies · Recovery objectives and timelines· Long term and down-stream contingencies and impact· Insurance considerations including business interruption exposures· Executive commitment, funding, testing, education





Integrated Vulnerability & Continuity Assessment (IVA)4.) Roundtable BriefingFollowing our site walk-thru and documentation review, we will conduct a verbal debriefing session with the designated customer management personnel. At that time, we will present our initial summary of findings and recommendations.

5.) Written ReportA written summary of our findings and recommendations, as discussed in the roundtable briefing session, will be developed and delivered to customer sponsor within 30 working days of completing our site walk-through.

6.) On-Site Validation and Follow-up ReviewAn on-site follow-up review will be scheduled within 8 to 12 months of completing and submitting our IVA written report. The purpose of this follow-up visit is to review the progress being made in implementing IVA recommended actions. The follow-up review can be used by management personnel to ensure critical exposure items are being addressed, protective operational procedures are implemented, and planning, operations and exercise documents are properly maintained.





Integrated Vulnerability & Continuity Assessment (IVA)– Risk Management, Continuity of Operations, Critical Incident, and

Critical Site Infrastructure focus– Identification of potential single points of failure, risk management

considerations and mitigation actions to reduce operational exposures– Customized, confidential written assessment report including

findings, recommendations and prioritization– Continuity of Operations and Documentation Review– Assessment of: critical functions, operations, contingencies, general

building, electrical, mechanical, structural, personnel, insurance, financial, etc.

– On-Site Review, Interviews, Summary Briefing, Written Report– 8 to 12 month on-site Validation ReviewCost: $55,000 plus travel & living per site





Emergency Equipment Acquisition Services – 24 hour X 365 day Availability (subscription service)– Access to International IT Equipment Brokerage Services– Identification of new or used equivalent function equipment– All major manufactures covered – Lease, rental, and purchase options available– International acquisition and shipment capabilities– Low cost, peace of mind solution– Linkage to insurance claim management services– Access to Equipment Restoration, and Salvage Services

Cost: $350 / month (data center up to 49K sq ft – no mainframe)$1200 / month (data center over 49K sq ft – mainframe)






IBM Pre-Disaster Services (Customized Offerings)

Site Selection ServicesContinuity of Operations ExercisesCritical Incident Planning ServicesGovernment Sector COOP Support





IBM Response & Recovery Services

Risk Management and Resiliency Subscription Services




Risk Management and Resiliency Subscription Service– 24 hr / 365 day availability of IBM Crisis Response Team resources and

disaster management professionals with proven experience in responding to over 70 critical incidents in 40 countries.

– Complete access to IBM Crisis Response Team response and recovery services

– Annual review of continuity of operations plan & capabilities– Participation in continuity of operations exercises– On-site executive level risk assessment review and assistance in the

identification and implementation of “minimal standards” and “best practices” to build a disaster resilient operation

– Assist in representing the best interests of the subscriber when reviewing or managing all continuity of operation issues

Cost: $1,200 per month / site (Discount for multi-site and enterprise wide coverage)





– 24 hour / 365 day on-call availability.

– Actively support and guide critical business functions.

– Facilitate cross department / agency linkage and communication.

– Review on-scene action plans based on experience in similar disasters.

– Focus resources towards high value activities.

– Identify the self interest of all parties responding.

– Assist in rapid damage assessment & the coordination of needed external resources.

– Assist in the identification of immediate financial and insurance coverage issues.

– Assist in the identification of operational alternatives.

– Assist with urgent personnel productivity, trauma and media relations issues.

– Assist in rapid relocation and fit-up services.

– Resolve conflict among agencies while representing the best interests of the customer.

– Provide rapid application development, implementation, and customization services.

Risk & Crisis Management ServicesSubscription Customers: Time of Disaster Services




Risk & Crisis Management ServicesSubscription Customers: Post-disaster Services

– Assist in reviewing operational, social, political, environmental, and economic considerations of proposed recovery action plans.

– Assist in prioritization of tasks and coordination of critical business functions to accelerate recovery and minimize potential losses.

– Assist in recommending actions to protect reputation and market share.– Assist in managing financial restitution process.

– Development and implementation of crisis event cost management systems.– Coordinate and manage the insurance claim process. – Coordinate and complete federal project grant / claim worksheets in the event

of a catastrophic domestic disaster. – Assist in reviewing emergency programs, legislation, or policies which will assist

or impact disaster victims and businesses.– Design and implement tracking systems to support recovery actions. – Facilitate cross department and agency linkage and communication.– Take actions that will reduce the impact of future crisis events.




IBM Crisis Response TeamWorldwide Segment Manager

Brent Woodworth

[email protected] office800-401-8292 page

Documents

Risk