Embed Size (px)
Citation preview
[Eskom - Case Study]Lessons learnt in developing aBusiness Continuity ManagementProgramme
Date: 19 May 15Malcolm Van Harte Tshepile Moganedi
What is this all about ?
What is this all about ?
Organisational Resilience R6
Organisational Resilience
Vulnerability Adaptive Capacity
Time
System Adaptive Capacity
System Vulnerability
KPI
ReadinessReduction Response Recovery
Shock
PotentialThreat
Reflect
ReactiveProactive
Recognise
R6
Co-ordinate
Contain
Check
Control
Supported by
:
What is business continuity?
This is our business
Electricity
Our business is designed to deliver on this mandate (We could refer to this as “business as usual”)
People Equipment Systems
- - - - - -- - - - - - -
Buildings
█ █ ██ █ ██ █ █
Suppliers
- - - -- - - -- - - -- - - -- - - -- - - -- - - -- - - -- - - -- - -
Coal & WaterThese transform… into…
Background• Business Continuity Management
(BCM) is a capability to identify potential impacts that threaten objectives to effective response and safeguard the interests of its key stakeholders and customers.
• Eskom has recognized the need to increase enterprise resilience capabilities in order to be able to continue time critical processes and functions from disruptive incidents.
• Eskom business continuity capability is design against the ability to plan, respond, recovery, exercise and review enhancement to plans to manage a disruptive event(s) that is beyond normal business.
Source: ISO 22301
Eskom BCM Programme
Eskom BCM Building Blocks• Embedding BCM effective programme
require building blocks to ensure a sustained and executable response plans.• It is imperative to ensure relevant, effectiveness,
efficiency and read to be executed.• Building blocks to implement an effective BCM
programme:• Block 1 – Governance and Accountability• Block 2 – Defining BCM strategies• Block 3 – Constitute team for a disruptive event• Block 4 – Assurance / Compliance and Integration• Block 5 – Embedding and continuous improvement
Block 1: Governance and Accountability• Programme need to establish and
maintain a BCM governance model that are effective yet simple, stable yet flexible and robust yet adaptive
• Governance attempt to seek and make decisions that define expectations, grant power or verify performance and requires
• Ownership and reporting• Integration• Involvement
• Governance committees play an important role in the overall BCM assurance and safeguard role for the development the resilience capability to plan, respond and recovery from disruptive incidences.
Block 2: Defining BCM Strategy
11
Strategy Decision
BCM strategy require principle agreement of recovery solutions and response / recovery plans to address the vulnerabilities:• BCM recovery strategies would be
calibrated against the risk appetite for the unavailability of mission critical processes for an extended period during a catastrophic incident (BETH3).
• Business Continuity Strategy procedure attempts to obtain principle agreement between the stakeholders of how to meet the RTO and address existing gaps to execute the business continuity and contingency plans.
EXCO Approved Risk Appetite & Tolerance Profile
RATING
FINANCIAL IMPACT PEOPLE EFFECTS ENVIRONMENT BRAND AND REPUTATION LEGAL AND
COMPLIANCE CONTINUITY OF SUPPLY
6>R50bn
Loss or gain
- More that 10 fatalities.
- Many 10’s of people subjected to irreversible effects.
- Irreversible long term environmental harm.
- Community outrage potential large scale class action.
- Public inquiry by Government agency.- Environmental licence revoked- Potential for significant legal sanctions
against Eskom.
- Critical event that the organisation would be forced to undergo significant change. E.g. CE departs and Board is restructured.
- Sustained adverse international/national press reporting over several weeks.
- Prolonged loss of Government confidence and community support.
- Major litigation or prosecution with damages of R100m+ plus significant costs.
- Custodial sentence for company Executive.
- Prolonged closure of operations by authorities.
- National blackout with enormous impact on country from image, economic, point of view.
- National load shedding > six months.
5<R50bn
Loss or gain
- Multiple fatalities, or
- Significant irreversible effects to 10’s of people.
- Prolonged environmental impact- High-profile community concerns
raised – requiring significant rectification measures
- Government agency inquiry- Environmental licences revoked and
directives issued
- Significant event that would require ongoing management and brings the organisation into the national spotlight.
- Sustained adverse national press reporting over several days.
- Sustained impact on the reputation of Eskom.
- Loss of Government support.- Executive management restructure.
- Major litigation costing R10m+.
- Investigation by regulatory body resulting in long term interruption to operations.
- Possibility of custodial sentence.
- Unexpected- Regional blackout lasting <60hrs.- Under-frequency event resulting in
voluntary & mandatory load shedding.
- Expected- National load shedding <4wks.- Loss of critical supply to critical
customer (deep level mines, smelters etc.)
4<R5bn
Loss or gain
- Single fatality and/or
- Severe irreversible disability to one or more persons.
- Measurable environmental harm-medium term recovery.
- High potential for complaints from stakeholders and community.
- Environmental directives issued by authorities.
- Major event that causes adverse local press reporting – over several days.
- Manager may be asked to leave.- Minister raises concerns.
- Major breach of regulation with punitive fine.
- Significant litigation involving many weeks of senior management time.
- Regional blackout lasting <6hrs. - National load shedding <2wks. - Loss of supply to major centre or
customer for >12 hrs.
3<R1bn
Loss or gain
- Extensive injuries or irreversible disability or impairment to one or more persons.
- Medium term recovery, immaterial effect on environment/community.
- Required to inform Government agency, (e.g.: noise, dust).
- Serious event that can be readily managed but management effort is still required to minimise impact locally.
- Adverse local press reporting.- Disciplinary action likely.
- Breach of regulation with investigation or report to authority with prosecution and/or moderate fine possible.
- Local loss of supply effecting >10,000 customers (<50MW) for >12hrs.
-
2<R100m
Loss or gain
- Medium term largely reversible disability to one or more persons.
- Significant medical treatment, disabling or lost time injury <2 weeks.
- Short term transient environmental or community impact – some clean up costs
- Event that site management can readily manage internally.
- No press reporting or external interest.- Disciplinary action may be taken.
- Minor legal issues, non-compliances and breaches of regulation.
- Loss of supply to large customer or affecting >10,000 customers for <4hrs.
-
1<R10m
Loss or gain- First aid treatment or minor
medical treatment.
- Negligible impact on the environment, little to no ecological effect and no measurable impact on human health
- Entirely and internal issue.- Attention is confined to site.
- No breach.- Loss of supply to some customers
(normal interruption) effects 3,000 customers for <4hrs.
13
Integrating BCM Strategy
Executive BIA
Service Level Agreement
Existing Infrastructure
Business Strategy
How do manage the disruption?
Long
ShortNow
14
Funnel [BCM Recovery Strategies]
Step 1Conceptual
• Initial thoughts to reduce vulnerability
• Contain consequence
• Barriers to prevent• Historical recorders• Refer to IRM
Step 2Expert Eng.
• How to meet the return time objective?
• Collaboration between role players
• Expert advisor• Research recovery
solutions
Step 3Div. EXCO
• Gatekeeper• Progress feedback• Obtain principle
agreement of recovery options
• High-level costing and implement.
Step 4Proj. Gov
• Conduct feasibility study
• Initiate project• Operational plan
supporting budgeting to BCM recovery options
Step 5Proj. Exec.
• Execution long term plan to reduce vulnerability
• Project Principles• Medium term plan
(contain)
Recovery Strategies
Idea 1
Idea 2
Idea 3
Solution 4Solution nIdea n
Block 3: Constitute team to a disruption
Eskom Response Command Centre
Divisional Tactical Command Centre
Provincial Tactical Command Centre
Facilities Recovery Team
Technology Recovery Team
Equipment
Telecommunication
ICT
3Rd Parties
Human Resources Recovery Team
Security Recovery Team
Crisis Communication
Provincial Joint CC
Recovery Teams
Two operating models:
1. Core Emergency Team
2. Hazard related team
16
Resumption Stages
Recovery Steps
Process / Business Function
Step 1 Process 1Process 2
Step 2 Process 3Process 4
Step 3 Remaining processes
How do manage the disruption?
Block 4: Assurance / Compliance and Integration
Source: BS 25999
Assessments
Block 5: Embedding and continuous improvement• Continuous improvement embedding
• Maintenance and Review: allocation roles• Continues Improvement: training, drills, review
• Exercising and testing objectives:• Training of employees and managers to understand their roles and
responsibilities before, during and after a business disruption (including testing of resources, infrastructure, building etc) .
• Improvement of business response and recovery procedures. • Proving the adequacy, completeness , validity and accuracy of the
current recovery plans.• Ensure that mission critical activities have sound plans and support
strategic objectives. • Ensure that all aspects of the business including dependencies and
interdependencies are covered.• Manage threats and risks associated with achievement of strategic
objectives.
Exercises, Maintain and Review (Validation)
VALIDATION INFORMATION TO BE DOCUMENTED
Maintenance and review
Authorised plan(s) that have been reviewed at least annually.
Review of plan resourcing. Training and levels of competency of role players.
Exercises and tests
Exercise scope, objectives, execution dates, and learning.
Test scope, execution dates, learning.
Continual improvement
Agreed actions from tests, exercises and reviews of the plan.
Action close-out tracking and responsibilities.
What are the key lessons learnt?
Block 1 – Governance and Accountability• BCM programme require leadership ownership and
governance structures• Define role and responsibility of governance structure
• Onboarding Senior and Executive Management to ensure ownership
• BCM governance should be incorporate in normal business governance
Block 2 – Defining BCM strategy• Principle agreement is required between Subject Matter
Experts/Functionally accountable departments• Define the risk appetite and tolerance profile (National vs Business
Units)• Executive Team should agree on major milestones – recovery
solutions• Third party arrangement can introduce significant risks in response
and recovery of mission critical processes / operations
What are the key lessons learnt?
Block 3 – Constitute recovery teams• Assigning the roles aligned to Delegation of Authority and
Expertise• Operating model for recovery team (i) Dedicated Team vs (ii)
Hazard specific Team(s)• Pre-define the team and structure• Onboarding of newly appointed individuals• Dependence on One Expert is risk
Block 4 – Assurance / Compliance and Integration• In developing the BCM programme the assurance /
compliance and integration matters should be built-in and not developed later
• Appraisals of adherence is required• Safeguards the relevance and adequate of the BCP• Block 4 build toward Block 5
What are the key lessons learnt?
Block 5 – Embedding and continuous improvement• Allocated roles with job compacts is important to
ensure maintenance and review• Training assigned role players• BCM aspects should be incorporated in the
development of business processes• Testing and exercise culture should be encouraged• Regular review and exercise should conducted by
independent individuals• Standardise approach should be adopted to conduct
post-mortems• Tracking system to closeout enhancements for
continual improvement
Conclusion• This presentation introduced blocking
buildings to effectively and efficient implement your BCM programme.
• It is achieved by focusing your BCM programme on the following:• Block 1 – Governance and Accountability• Block 2 – Defining BCM strategies• Block 3 – Constitute team for a disruptive event• Block 4 – Assurance / Compliance and
Integration• Block 5 – Embedding and continuous
improvement
• It highlighted key lessons learnt and that may assist you the development of your BCM programme.
24
Implementing BCM in an organisation …
………. is like eating an elephant
Take a small bit at a time!! 25
FINAL THOUGHT: BCM Programme Management
Thank You – Any Questions
