bci 2012 high value assets paper

1

Copyright 2012 Crisisinterface Ltd Gareth Jones 0044 (0)7880 313618

BCM World Conference 2012

Stream B – BCM in Action

BCM for high value assets – the right tools to gain appropriate strategies

When examining the way BCM is implemented across many organisations during assurance reviews, there is often a lack of differentiation of where continuity strategies are required to be assured and reliable and where more basic standards would be acceptable.

Although technically correct application of the BCM lifecycle has turned a project managers deliverable chart ‘green’ , often the impacts have not been established and the real requirements have not been defined. The mechanics have been done but the analysis and ‘Business’ in BCM is lacking. This leads to poor decision making by executive management as they have not really had the impacts or business case defined. In the face of a weak business impact analysis (BIA), the conclusions reached are flawed. In order to convince management to provide resource for often unpalatable recovery strategies or to make conscious decision on the level of risk to

be accepted, the foundations of the work have to be sound.

In reviewing a failure in a large investment bank where the trading floor remained inactive for 30 hours, it was found that the compliance and reporting chart was fully coloured green, but in reality the continuity strategies were not fit for purpose. This experience prompted the author to have a fresh look at the tools and techniques employed. It was clear that the BCM would have achieved accreditation against a standard, but the real priorities and strategies defined for this ‘high value asset‘ had never been established. So, why were the tools not supporting the management and what other approaches might be appropriate?

Before starting to examine the topic of approaches and tools, the definition of what are high value assets requires discussion. A review of the definitions shows that there is little clear identification of this term. Some inspiration was sought from the arena of public ‘critical national infrastructure’ and the following terms were found:

USA definition is "systems and assets, whether physical or virtual, so vital to the United States that the

incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”.

UK's national infrastructure is defined by the Government as: “those facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends”.

In looking for a more commercial oriented term, the following example shows priorities within a commercial organization that was used recently to delineate the approach to assets that were ‘material’ to the business compared with the rest of the organization:

Tier 1: Key capability or assets deemed critical to the Group which would have a material impact on the Group share price or ability to achieve business plan objectives should they be impacted by events, incidents or crisis.

Tier 2: Capability deemed non-critical to the Group, but would have an impact for the function if it was interrupted for a period of time.

The key words in the government definitions are ‘vital’, ‘debilitating impact’, ‘essential service upon which daily life depends’. In examining more commercial definitions the main word appears to be ‘material impact’.

In order to see what examples there are of where high value assets are unavailable or impacted, the following examples of events may provide some context for a discussion of tools:

Buncefield explosion threatens 400 businesses (Daily Telegraph Dec 2005) – an example of a fuel depot

which was at the junction of major pipeline.

Total’s Elgin gas leak could carry on for six months (Daily Telegraph 28 Mar 12) – an example of platform

that also routed supplies of gas to the UK – a major supply ‘node’.

Blaze breaks out at Tilbury power station (Daily Telegraph 28 Feb 12) – an example of an unplanned

outage of generating capability in a national grid.

2


Marikana mine violence poses major threat (Financial Times 24 Aug 12) – an example of a single facility

which when shut caused the price of platinum to increase.

BP faces fresh attack over spill failure (Daily Telegraph 13 Jun 10) – an example of a control failure that

caused major changes in an industry and a watermark event for future risk taking and strategy.

Stuxnet worm 'targeted high-value Iranian assets’ (Financial Times 23 Sep12), an example of attempts to

hinder a nation’s major national priority programme.

Queensland floods lift coal (Daily Telegraph 14 Jan 11) – an example of a ‘wide- area’ natural event that

changed a commodity price.

Ulster Bank customers still hit by IT crisis day 14 (Daily Telegraph 3 Jul 12) – an example of a major

technical failure caused by a software glitch.

BlackBerry manufacturer RIM had 'single point of failure’ (Computer World 13 Oct 11) – an example of a

data centre failure in one country impacting a global service.

The interesting thing about these events is that the high value assets involved, in either failing or not being available, are probably just another data centre or software system or pipeline junction or node. Failure would lead them to be defined afterwards as high value assets. It is of course impossible to define where these assets were placed in the organisation priority order or strategy as this information is not available to public scrutiny.

In order to define a high value asset another concept that may assist is to ask if the asset has ‘tightly’ or ‘loosely’ coupled characteristics for process or service delivered; this term was defined by Charles Perrow.

There is also a debate in risk management on the opposing approaches of anticipation (analysis of impact and probability) against resilience (impact against time) as defined by Hood and Jones in Accident and Design. Using the framework of anticipation and resilience the characteristics of tools in use can be analysed. Business

impact analysis (BIA) is clearly rooted in a resilience approach, that of impact against time. However, many BIAs that have been reviewed by the author have failed to establish financial impacts of events against time, and this has led to poor foundations upon which the argument with management about resources for strategies can based upon.

Some of the tools available for establishing information upon which recovery strategies and management decision can be based are:

Risk Management and risk appetite - maturing standards available.

BCM – business impact analysis (BIA) - a standard technique for BCM.

Dependency and process mapping - an engineering and supply chain technique to define process –

partcularly used in closely couple systems.

Value chain analysis - a management technique to define where value is added (or lost!) in business.

Down time analysis - a techniques used in technology to define cost of ‘downtime’.

Insurance: business interruption calculations. A technique used to calculate gross revenue loss of a business

following an interruption to inform the length that recovery of business, it normally only defines insurable

costs.

Scenario analysis/stress test – a financial sector technique to assist in definition of financial resilience.

Scenario planning – a management technique to shape a plausible future to allow contextualisation of

requirments to be made and uncertainty to be defined.

Others.

Two of these tools merit further discussion:

Scenario Analysis has been adopted by the financial sector to develop a view of low probability high impact risks to assist in calculating the level of financial resilience required. The technique takes ‘long tail’ risks and uses internal loss data (ILD) and external loss data (ELD) to assist in making judgements on what might be the loss sustained in the event of certain scenarios happening at differing levels of severity. The process

of conducting scenario analysis is to define and agree scenario descriptions, then take a view over a range of probabilities to quantify possible impacts/severity and evaluation of controls. Usually developed through

3


workshops with a group of management, experts and faciltators (whose role is to provide objectivity and to

mitigate bias).

Scenario planning can be used to provide a context against which a group of management and specialists can do a ‘reality’ test of assumptions and define requirements. This information can then be used to ‘test’ current controls for gaps or provide a requirements list. By using a span of scenarios the requirements list can be made with a wider view and provide a realistic and wider challenge than ‘bottom-up’ BIA based planning.

Both scenario analysis and scenario planning are resource intensive to plan and facilitate and are therefore more appropriate to the development of a wider view of BCM strategies and requirements for high value assets. In deciding the requirements of appropriate strategies, questions which may be of value to ask are:

Across the organisation do we really understand which are the high value assets?

Do we really understand the impacts of loss?

Do we understand the risks and if controls are appropriate?

Which are the business criticial activities?

What level of reliability do we require?

Are the tools we are using up to the job?

Will our arrangements work and how is this assured?

Where should we put our resources?

When determining appropriate recovery strategies for high value assets it is likely that there will be more

considerations to take into account, as solutions may be harder to find and resource. Solutions may encompass a wider range of possibilities, such as:

BCM – ensure ‘normal interruptions’ are planned for, the author has found that often the basic planning for ‘normal’ interruptions have not been carefully planned or implemented, such as power, people, tehnology, loss of access and telecommunication systems as an example.

Resilience – to achieve the quality of planning to enable resilient systems to be put in place is a challenge. This is because extensive resources may be required to enact suitable strategies – e.g buffer stocks, standby facilities.

Global and local recovery strategies – may be applicable in some instances e.g pharmaceutical plants and supply chains. Local recovery stratgies will have limitations due to teh long lead time of relacing some high value assets (or licencing). Lead times for recovery are so long that global stategies may be the only answer. To develop global startegies requires overview and a well developed business case.

Partnerships with competitors – the unthinkable strategy. Some products in the global environment are only produced by a very limited range of suppliers and global scarcity situations may occur and therefore the only viable strategy involves production increase at a competitor.

Contingency planning approaches – some high value assets are so critical that contingency measures are the only means of protecting assets or still delivering some form of service and loss is an accepted risk.

Other?

The conclusions from the examination of BCM for high value assets and and available tools are as follows:

4


Further reading:

WEF – Global Risks Report 2012 (risk mapping and interconnectedness)

Report of the Heathrow Winter Resilience Enquiry – Mar 11 (closely coupled system failure)

Deepwater Horizon Containment and Response – Harnessing Capablitis and Lessons Learned – 8 Sep 10 (closely coupled system failure)

The Buncefield Incident – Final Report – 11 December 2005 (closely coupled system failure)

Future Global Shocks – OECD Reviews of Risk Management – June 2011 (dependancy modelling tools)

Normal Accidents – Living with high risk technologies – Charles Perrow - 1999 (coupled systems)

Accident and design – Hood and Jones 2002 (opposing views in risk management – anticipationism versus resilience)

UK Chartered Management Institute – Planning for the worst. Annual BCM Survey March 2012 (normal interruptions and useful benchmark data)