Upload
dinhnhi
View
216
Download
4
Embed Size (px)
Citation preview
Greg Ferris – Executive Director, Morgan StanleyJohn Odermatt – Corporate Director, CitigroupPeter Poulos – Director, Credit Suisse First Boston (CSFB)
Workshop: Lessons in Risk Assessment
2
Workshop Overview
1. Introductions
2. Business Continuity Risk Assessment – Firm Perspectives in Approach
• Morgan Stanley• Citigroup• Credit Suisse First Boston (CSFB)
3. Questions & Answers
3
Business Continuity Risk Assessment –Firm Perspectives in Approach
Morgan Stanley
4
Crit 2 Crit 1
Crit 2Crit 3
Life safety mitigation and response will be constant in all locations
Prioritize business risks:
Crit 1 – Mitigation and response solutions in place for all risks
Crit 2 – Mitigation solutions in place for some risks. Response solutions in place for all.
Crit 3 – No mitigation solutions in place. Response solutions in place for all.
Analysis performed at the regional and divisional level
Probability
Impact
The Macro View: Prioritizing Risk – Determining What Matters Most
5
Identifying Risks
– Think about the events (natural and man made) that could interrupt the normal flow of operations and/or threaten the well being of employees
– Don’t focus purely on disasters in the classic sense
– Try to focus on the effect of the problem as opposed to it’s cause
Assessing Risk
– Assess the probability/impact of each risk statement
– Provide a criticality ranking for each
The Macro View: Cataloging and Assessing Risk
6
Probability Scoring
1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen)
2 33 to 65 percent chance of occurrence (likely to happen)
3 Less than 33 percent chance of occurrence (not likely to occur)
Impact Scoring
1 Outage will result in inability to meet regulatory requirements and introduce excessive risk
2 Outage will not impede ability to meet regulatory requirements or excessive risk, but will impact client service functions
3 Outage will not affect critical functions and/or critical functions are easily failed over
Getting Started: Assessing Probabilities and Impacts
7
Probability Scoring
1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen)
2 33 to 65 percent chance of occurrence (likely to happen)
3 Less than 33 percent chance of occurrence (not likely to occur)
Impact Scoring
1 Outage will result in unacceptable risk to New Jersey’s citizens and/or assets
2 Outage will not result in unacceptable risk to New Jersey’s citizens and/or assets, but will impact continuity of government and/or the ability to communicate with all levels of government
3 Outage will not affect critical functions and/or critical functions are easily failed over
The Macro View: Assessing Risk
8
Criticality Assessment
1 Probability Score 3 to 1 - Impact Score 1
2 Probability Score 2.5 to 1 - Impact Score 2
3 Probability Score 3 to 2.5 – Impact Score 2; Probability Score 3 to 1 –Impact Score 3
The Macro View: Prioritizing Risk
9
Business Continuity Risk Assessment –Firm Perspectives in Approach
Citigroup
10
Sub-processes, Recovery Strategies
& Requirements
Sub-processes, Recovery Strategies
& Requirements
Threat & Vulnerability Assessment (TVA)
BIABusiness Impact
Analysis
TVAThreat & Vulnerability
Assessment
SRASector Risk Assessment
SRASector Risk Assessment
BIABusiness Impact
Analysis
The purpose of the TVA is to:• Determine standard threat scenarios and planning
constraints
• Identify vulnerability, symbolic value, single point of failure,or concentration of resources
• Composite Resilience Rating
11
Cross Functional Collaboration
• Perimeter security
• VIP security
• Proximity to other known militant targets
• Utility diversity
• Fire suppression
• Electrical grids
• UPS and generators
• Egress and risers
• Dual paths
• Data Center strategy
• Concentration of Infrastructure
• People Strategy
• Single point of failure
• Perimeter security
• VIP security
• Proximity to other known militant targets
• Utility diversity
• Fire suppression
• Electrical grids
• UPS and generators
• Egress and risers
• Dual paths
• Data Center strategy
• Concentration of Infrastructure
• People Strategy
• Single point of failure
SecuritySecurity
FacilitiesFacilities
TechnologyTechnology
HRHR
• Physical security• Physical security
• Physical plant resilience• Physical plant resilience
• Infrastructure resilience• Infrastructure resilience
• Personnel• Personnel
Team Lead: Office of Business Continuity
TVA Team Expertise Example Components
12
TVA: Threats For a Facility include …
• Vulnerability– low, medium, or high
• Symbolic Value as a Target – low, medium, or high
• Single Points of Failure– resources that do not have
redundancy at another Citigroup facility
13
TVA: Threats at a Facility (continued)
Threats include:
• Regional Blackout• Civil Unrest• Telecom Utility Interruptions• Epidemic• Hurricane• Flood• Earthquake• Bomb• Terrorist Event• Sabotage
14
TVA: Threat at a Facility (continued)
• For each potential threat the worst-case scenario is considered:
Outage duration range days, weeks, or months
Radius impacted <30 miles or >30 miles (50 km)
Loss probability low, medium, or high
• Then a composite resilience rating is calculated by the team
15
TVA: Consistent Output (continued)
Standard Threats,
scenarios, and planning
constraints Vulnerability, symbolic value, single point of
failure, proximity, or concentration
of resourcesComposite Resilience
Rating
Threats Outage
Duration Range Radius Impacted
Scope of Infrastructure
Services Affected (Potential)
Regional Blackout Days >30 miles ManyCivil Unrest Days >30 miles SomeTelco Interruption Days <30 miles FewHealth Epidemic Weeks >30 miles ManyTerrorist Event (multiple) Weeks >30 miles ManySabotage of Facilities Weeks <30 miles SomeHurricane/ Typhoon Weeks >30 miles (Cat 4/5) SomeTornado Weeks-Mos >30 miles (F 4/5) SomeFlood Weeks-Mos >30 miles SomeEarthquake Weeks-Mos >30 miles (>6.0) ManyBio/chemical release Months <30 miles ManyDirty Bomb Months <30 miles Some
16
Business Continuity Risk Assessment –Firm Perspectives in Approach
Credit Suisse First Boston (CSFB)
17
CSFB Business Continuity Prioritization of Processes / Products
Tier 1 – Critical
Process(es) and/or associated products which are required for the bank to survive or whose
unavailability would cause irreparable damage to the bank. This includes all core technology
infrastructure systems and facilities on which all applications and data are dependent to conduct
these processes. (e.g., funding the bank and associated settlement risks, safeguarding firm and
customer assets, manage market and credit risks, etc.)
Tier 2 – Required
Process(es) and/or associated products whose availability is mandated by either regulatory
requirements, customer or market obligations and/or business priorities.
Tier 3 – Less Critical
Process(es) and/or associated products that either have a delayed recovery timeframe or for
which recovery can be deferred.
18
Risk Weighting Criteria Used by CSFB
CSFB takes into consideration two key factors by location in weighing business continuity risks. The first is the relative importance of a physical location from a business perspective and the second is the associated threat(s) at that location.
Business Importance by Location1. Financial Exposures
a) Revenue Exposure or Opportunity Cost (foregone revenues due to inability to execute trades)b) Market Exposure or Value at Risk (capital loss on principal positions due to adverse market
movements)c) Contractual and Reputation Exposure (costs of inability to perform contractual obligations and long-
term impact of damaged customer franchise)2. Presence of Business Functions/Processes and Products transacted3. Presence of Technology Infrastructure supporting Business Functions/Processes and Products
Threats Associated by Location1. Environmental Risk
a) Physical Threats (e.g., inclement weather, earthquakes, civil unrest, etc.)b) Municipal Utility Infrastructure (e.g, power, water)c) Telecommunications Infrastructured) Transportation Infrastructuree) Health Care Infrastructure
2. Staff Concentration Risk3. Technology Risk4. Facility Risk
19
Business Continuity Impact Scenarios Assumed by CSFB
Partial Loss
Planning Time Horizon: Intraday (Up to start of next business day)
Assumes no physical destruction of facilities or systems. Business unit staff would either wait for IT and/or facilities disruption to be remediated or invoke business continuity plans. Internal outages/failures; examples: partial power outage or hardware/software failure.
Denial of Access
Planning Time Horizon: Up to 3 days
Assumes no physical destruction of facilities or systems. Business unit staff would need to evacuate or be denied access to their primary office space. Examples: Transit strike, inclement weather, bomb scare, gas leak, civil unrest.
Total Loss
Planning Time Horizon: Up to 1 month or longer *
Assumes physical destruction of facilities, systems and/or people. Examples: Terrorist attack, earthquake, catastrophic fire, flood.
Loss of Key External Interdependencies
Planning Time Horizon: Variable dependent on whether impact to CSFB is a Partial Loss, Denial of Access or Total Loss
Assumes interruption of service provided by Third Party Service Providers, Exchanges, Industry Utilities, Clearing Corporations,and/or Market Data Systems (e.g., pricing/news/market analysis information, communications, trade execution/deal capture, etc.). Also assumes interruption of services provided by CSFB.
* If the event is a Total Loss of primary data center collocated with people, then impact duration starts on Day 1. However, if the event is a Denial of Access to a data center facility lasting more than 3 days, then it is considered a Total Loss event.
20
Business Recovery/Resiliency Strategy Options – Considerations for Risk Mitigation
Impact Scenario Probability of
Occurrence
Business Recovery / Resiliency Strategy Option Estimated Recurring
Cost
Speed Of Recovery
Difficulty of Recovery
Split/Shared Production L H LTransference L H MDisplacement Seating L M LRemote* L M MManual Workarounds L M M
Internal Recovery/ Contingency Seating – Dedicated Trading H M MInternal Recovery/ Contingency Seating – Dedicated Non-Trading H M MInternal Recovery/ Contingency Seating – Shared Non-Trading H M MThird Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H M MThird Party Provider Recovery/ Contingency Seating - Shared Non Trading M L HSplit/Shared Production L H LTransference L H MDisplacement Seating L M LRemote* L M MManual Workarounds L M M
Internal Recovery/ Contingency Seating – Dedicated Trading H L HInternal Recovery/ Contingency Seating – Dedicated Non-Trading H L HInternal Recovery/ Contingency Seating – Shared Non-Trading H L HThird Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H L HThird Party Provider Recovery/ Contingency Seating - Shared Non Trading M L HSplit/Shared Production L H LTransference L H MDisplacement Seating L M MRemote* L M MManual Workarounds L M M
Total Loss Low
Relative
Partial Loss High
Denial of Access Medium
LegendH = HighM = MediumL = Low Remote* - Availability, functionality and capacity of key systems varies by business and by type of remote access
21
New York Downtown Campus
Jersey City Site A
Jersey City Site B
Central NJ Office and
Data Center
Jersey City Site CJersey City
DR Data Center
Current State
New York Downtown Campus
Proposed Interim State Proposed Future State
BAUAssets
BCP/ DR Assets
Through the use of optimized traditional and alternative recovery and resiliency strategies, utilization of Business-As-Usual (BAU) firm assets (people, facilities and technology) increase while physical concentration risks are mitigated and DR-only overhead costs are reduced.
Traditional Recovery – Dedicated or shared contingency seats (internally managed or third party)Alternative Recovery – Displacement, remote computing, transference, split production
BAU Assets
BCP/DR Assets
Legend
Jersey City Site A
Jersey City Site B
Southeastern US Office
Jersey City DR Data Center
Southeastern US Office and Data Center
Asia New York Downtown Campus
LondonAsia
Midtown Office
Midtown Office
Northern NJ DR Data Center
Northern NJ DR Data Center
London
Central NJ Office and
Data Center
Central NJ Office and
Data Center
London
Business Continuity Risk Mitigating Strategies –Illustrative Optimization Over Time
Jersey City Site A
Midtown Office