bcm presentation - investment or expense?

1

Business ContinuityInvestment or expense?

Sidney R. Modenesi, MCBCC, MBCI

IV Seminário de GCN Gestão da Continuidade de Negócios

Brasília – 25/06/13

This is a quick and straight translation of the original presentation, i.e., some translation errors may occur.

2

Agenda

Opening What is Business Continuity Some local significant regulations Standards and Good Practice Real experiences Investment or expense Adjourn

3

Presenter

Sidney R. Modenesi, MCBCC, MBCI,

BS 25999 Technical Expert;

BCI Area Representative for Brazil;

STROHL Brasil General manager since 2002;

Bachelor in Computer Sciences, IME/USP;

Master Degree in Entrepreneurship, FIA/FEA/USP;

Approved in the DRII certification exam in 2000;

Approved as MBCI by BCI in 2005;

BS 25999 Technical Expert by BSI in2011;

Contacts: sidneymd@thebci.com.br

sidney_modenesi@strohlbrasil.com.br

+55 11 5583-0033

4

Business Continuity Institute

Global leader institute in Business Continuity; Mission: to promote the art and science of Business

Continuity worldwide; With 10.000+ certified professionals in 100+

countries; Supported the development and enhancement of

many Business Continuity standards as: PAS 56, BS 25999, ISO 22301/22313, GPG 2013 ...

5

Assumptions

“If anything can go wrong, it will.”

Murphy´s Law

“And more, it will go wrong in the

worst manner, at the worst moment

and in a way it will cause the worst

possible damage.”

Corollary

“Murphy was an optimist”.

Clark´s Law

Noeh Arch

1st documented record of Business

Continuity in the Human Kind history,

although using an inside information …

6

What is Business Continuity?(according to ISO 22301/22313)

It is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

7

What is Business Continuity?(according to ISO 22301/22313)

8

What is Business Continuity?(according to ISO 22301/22313)

Or simply: to restart in a planned way services, products and/or critical business processes in a alternate location, in a priory defined time frame and service level, before the consequences and impacts become unacceptable.

9

Local significant regulations

3380 Regulation – BACEN (like FED)

Defines the implementation of the Operational Risk management strucuture in accordance with the Basel II agreement. Be in force since July 29th, 2006.

VI – existence of contingency plans containing strategies to be adopted to assure continuity conditions of core activities and to limit severe losses due to operational risks.

10

Significant regulations

Business Resiliency and Continuity

Principle 10: Banks should have business resiliency and continuity plans in place to ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption.The Committee’s paper, High-level principles for business continuity, August 2006, discusses sound continuity principles in greater detail.

11

Local significant regulations

SAC Law(Customer Service Centers)

SUSEP – Circular # 285(insurance market)4. Operational Continuity Plans:

4.1. to indicate a summary plan of the operational continuity in contingency or emergency situations; 4.2. to present the results of the last test of the operational continuity test.

12

Standards and Good Practice in BCM

ISO 22301:2012 Good Practice Guidelines 2013

13

Real experiences

World Trade Center – 09/11/2001 London Underground - 2005

14

Real experiences

Riots – 2006 ...Riots – 2006 ...

RJ, SP ...

15

Real experiencesVulcano in Iceland Vulcano in Chile

16

Real experiences

Fukushima, Japão - 2011

Due to the Fukushima earthquake and tsunami some Brazilian car factories had to close one of the production shifts due to lack of core components. BALANCE: Lost sales

17

Real experiences

Oklahoma tornado - 2013 Petrópolis/RJ - 2011

18

Real experiences

All variations of flue Dengue, an endemic local problem

19

Real experiences

Fire in one of the Social Security buildings in Brasilia (INSS) - 2005 Data Center fire - 2009

20

Real experiences – Social Midia

Foreign Affairs invasion – 06/13Brasilia Congress invasion – 06/13

21

Real experiences – Crisis management

22

Real experiences

The potential risks list is endless:

Naturals: Heavy rains,

earthquakes, vulcanos, tornados ...

Humans, accidentals or deliberates: fire, explosion,

contamination ...

Technological: Hacker, invasion, virus,

systemic failure...

23

Risk Appetite

For each non eliminated risk

An strategy developed, documented, tested and updated will be needed

To restart in a planned way services, products and/or critical business processes in a alternate location, in a priory defined time frame and service level, before the consequences and impacts become unacceptable.

24

Implementation cycle

•To

identify and mitigate risks.

•FOR EACH NON ELIMNATED RISK

•Recovery Strategies

•Developed, documented, tested and updated

•To planned restart services, products and/or business processes in an alternate location

•PDCA - Plan, Do, Check and Act

25

Investments and expenses

The development and implementation of the Recovery Strategies will require de:• Initial (upfront) investments to adapt office space,

electrical power, network, PABX and phone lines, desks, chairs, workstations ...

• Recurring expenses to maintain all this infra structure and

• Eventual expenses with exercises, testes and validation tests (DRP).

26

Equilibrium point

RISK APPETITE

Time

Financialand operational

losses

Investments in prevention and

contingency

$

t0t1< t0

< Risk Appetite

t2 > t0

> Risk Appetite

$

27

Investment or expense?

• Financially BCM has:– Implementation investments CAPEX– Recurring expenses OPEX

• In the Management or Risk Appetite point of view BCM helps to increase the operational resilience– Increasing availability, productivity and time

redution of the interruptions Investment– It is part of the business cost.

28

Return of investment

Plan

Do

Check

Act

Plan the recovery strategy

Implement the recovery strategy

Exercise, test and stress the recovery strategy

Treat the Non Conformities:•Update the Recovery Strategies and/or•Update the BAUdaily processes.Benefits: improve in the quality, productivity and availability of the critical products, services and business processes.

29

Adjourn

A well developed, implemented and maintained Business Continuity Program will: Increase the Risk Awareness; Reduce the organization risks; Reduce the interruption durations; Bring ROI; Increase the organization value, specially with

a BCMS certification.

30

Closing

Plan for the WORST

Work for the BETTER.

31

Closing

Contacts:

Sidney R. Modenesi sidneymd@thebci.com.br sidney_modenesi@strohlbrasil.com.br +55 11 5583-0033