business continuity management - planning for major events. bci workshop 30 jan 13
DESCRIPTION
Presentation to BCI workshop 30 Jan 13 in London on planning for major events. Discussion on spectrum of expected risks and possible tools to use.TRANSCRIPT
Crisisinterface
Copyright Crisisinterface Limited 2013 Gareth Jones [email protected] 0044(0) 7880 313618
Gareth Jones MSc MBCI
BCM for major events What is the challenge?
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
Agenda
What are major events?
Will normal BCM tools be appropriate?
What other tools could we use to enhance our
planning?
Conclusions
Some further reading
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
‘normal’ interruptions
global events
Wide area & international events
Interruption Material impact Extinction
What are major events?
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
• Extreme weather e.g. flood/high winds
• Loss of IT
• Loss of people
• Loss of access to site
• Transport disruption
• Damage to corporate image/reputation/brand
• Loss of telecommunications
• School/childcare closure
• Loss of electricity/gas/water/sewage
• Loss of key skills
• Supply chain disruption
• Negative publicity/ coverage
• Customer health/product safety incident
• Employee health & safety incident
• Pressure group protest
• Environmental incident
• Fire
• Industrial action
• Terrorist damage
Source: The 2012 CMI Business Continuity Management Survey
‘Normal’ interruptions
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
‘normal’ interruptions
global events
Wide area & international events
‘Normal’ interruptions
• Loss of IT
• Loss of people
• Loss of access to
site
• Loss of
telecommunications
• Loss of utilities
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
Stuxnet worm 'targeted high-value Iranian assets’ FT 23 Sep12
Assad launches Scud missile barrage DT 13 Dec 12
The great cyber hijack: how China diverted the web in 18 minute sting DT 19 Nov 10
Japan – nuclear alert over fears of leak at quake reactor DT 12 Mar 11
Major events – some examples
Marikana mine violence poses major threat FT 24 Aug 12
Buncefield explosion threatens 400 businesses DT Dec 2005
BP faces fresh attack over spill failure DT 13 Jun 10
Al Qa’eda brings terror to heart of London DT 8 Jul 05
BlackBerry manufacturer RIM had 'single point of failure' Computer World 13 Oct 11
Anthrax attack hits Congrerss, Israeli minister assinated DT 18 Oct 01
Ministers should have acted sooner over Ash crisis DT 21 Apr 10
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
‘normal’ interruptions
global events
Wide area & international events
Wide area & international events
• Loss of IT
• Loss of people
• Loss of access to
site
• Loss of
telecommunications
• Loss of utilities
• CIS
Wildfires
• Hurricane Katrina
• Country
power failure
• Iceland
ash cloud
• Terrorism Mumbai
• National
strike
• 9/11
• Gulf oil spill
• Flu
pandemic
• ‘Jetstream’ storms
• Bank
collapse
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
24 hours 48 hours
Recovery
time objective
Maximum
tolerable period of
disruption
May be qualified with recovery level
Time
Impact: evaluated consequence of a particular outcome
Financial
Reputation
Legal/contractual/
regulatory
Quality
Staff morale
Other?
Incident:
Situation that might be, or could lead to, a business interruption, disruption, loss, emergency, incident or crisis
RTO: Recovery time objective. Target time set for resumption of product, service or activity delivery after an incident
MTPD: Maximum tolerable period of disruption. Duration after which an organisation’s viability will be irrevocably threatened of product and service cannot be resumed
Will normal BCM tools be appropriate?
Incident/ interruption
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
Tools to use in planning for major events?
Risk Management and risk appetite
Dependency and process mapping
Value chain analysis
Down time analysis
Insurance: business interruption calculations
Scenario analysis/stress test
Scenario planning
Others?
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
Scenario analysis
Adopted by financial sector to develop a view of low probability high impact risks to assist in calculating the level of financial resilience required
Takes ‘long tail’ risks and uses internal loss data (ILD) and external loss data (ELD) to assist in making judgements on what might be the loss sustained in the event of certain scenrarios happening at differing levels of severity
Process:
define and agree scenario descriptions
view over range of probabilities to quantify possible impacts/severity and evalauation of controls
Usually workshops with a group of management, experts and people to facilitate objectively and avoid bias
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
3rd party cause
‘normal’ identified risk
only firm affected
market wide
#1 London-wide
outage
#3 major technology
failure #7
infectious
disease
slow
initial burn
fast
onset
medium
onset
fast
onset
Scenario planning
#2 main offices
outage
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
Conclusions
Assumption is that most developed BCMS should be capable for ‘normal’
interruptions
The requirement to plan for major events is poorly defined and often ‘too difficult’
until forced upon management?
Normal BCM tools may not be the best tools for reducing uncertainty in planning
for major events
Scenario analysis provides a developed technique to define financial impacts over
a range of probability using a disciplined method
Scenario planning often highlights different requirements to those defined by
‘bottom-up’ BIA and tests assumptions (as with exercises and war-games)
Tools and techniques are still evolving – we should take the wider view and
sample and utilise the best tools to build resilience for major events
Crisisinterface Copyright Crisisinterface Limited 2012 Gareth Jones [email protected] 0044(0) 7880 313618
Further reading on the topic of tools for use in
planning for major events
UK Chartered Management Institute – Planning for the worst. Annual BCM Survey March 2012 (normal interruptions and useful benchmark data)
WEF – Global Risks Report 2013 (risk mapping and interconnectedness)
Future Global Shocks – OECD Reviews of Risk Management – June 2011 (dependancy modelling )
UK National Risk Assessment for Civil Emergencies - January 2012 Edition (www.cabinetoffice.gov.uk) (UK view of risks)
Riks appetite and tolernace consultation paper – IRM May 2011 (useful for defing risk appetite)
Scenario planning : Ringland (staple reference on scenario planning)
Scenario analysis : APRA working paper : Applying a structured approach to operational risk scenario analysis in Australia (www.apra.gov.au - explantion of some SA terms)
Exercise programmes: design, experience, reflect and fix. Gareth Jones, Continuity , Mar 2010 (discussion on developing an exercise programme)