Convergence and Breaking Down Silos

Karen Dye, CBCP, MBCIDirector, Global Crisis ManagementSun Microsystems, Inc.

Topics• Company Information• Crisis Management Organization• Evolution events and activities

– Crisis Management– Activation flow– Critical Site List– Metrics– Tools

• Risk Summit

Sun Microsystems, Inc.

• Multi-National computer products and services company

• $13.8 billion revenue FY08• 34,000 employees• Over 100 countries• Over 240 locations• Products 62% of revenue• Services 38% of revenue• Research and development = 13% of sales

Sun Culture

• Centralized policy making• De-centralized decision making• Outside US – Country Manager is Country

CEO• Traditional silos with few integrated

processes or collaborative responses• Highly flexible work force – “Open Work”

Business Resiliency – Not an Island

• Regional and Corporate Crisis Management Plans• Business Group Business Continuity Plans• IT Disaster Recovery• Emergency Response• Security Response• Facilities Response• Human Resources Support

2003 - 2004 2005 - 2006 2007 - 2008 2009 +

●Prof. BCP Mgr●Activa tion Exe r●Stre amline templa te s●Bottoms up

●BCP Audit●Exec. Champions●Pa ndemic Planning●Be ginning of CMT●Critica l S ite Lis t

●BCMM re sults●CMAT's●Notifica tion Sys tem●Security integra tion

●Risk Summit●Re duced S ta ff●Efficiency●Effe ctive ness

Evolution of Activities

Pandemic Planning

• Commenced Fall 2005• First cross functional crisis team• Defined roles and responsibilities• Now under Crisis Management umbrella

Crisis Management Functions

Team LeadEmergency ResponseGlobal Sales & ServiceLegalPrivacySecurityWork Environments (EH&S, Facilities, Open Work)‏

Employee CommunicationsFinanceHuman ResourcesMedia & Public RelationsRisk ManagementInformation TechnologyManufacturing

Crisis Management Structure

Local Emergency Response

Incident Commander

Local Emergency Response Personnel

Sun Incident Commander

BCP BU Executive Sponsor

BCP ExecutiveChampion

Cris is Management &Emergency Response

Champion

Cris is Management Program Office

Corporate Cris is Management Team

BU BCPManager

Plan DevelopmentCoordina tor

Recovery TeamLead

-Development Team Member

-Recovery Team Member

Cris is ManagementAreaTeam

Sun Site ER Team

-Security Manager-Opera tions Manager-EHS Manager-Other Members

Site ERCoordinator

At Time ofDis a s te r (ATOD)

At Time ofDis a s te r (ATOD)

Denotes Sun organization/pers onnel

Denotes external organization/pers onnel

Functional Support Teams

Crisis Flow

Loc al On Site 1 s t Re s ponde rs

Corporate Cris is Manage me nt Te am

Exe c utive Le ade rs hip Te am (ELT)

1: Reduce Loss of Life & Damage2: Notify Local Emergency Response Personal (i.e. Fire, Police, etc)3: Communicate to Regional & Corporate

1: Gather Team 2: Assess Damage / Situation3: Determine Corporate Crisis Lead (where appropriate)4: Needs Analysis from Regional5: Determine Immediate Action Required6: Activate Communication Plan

1: Initial Updated Provided On Going – Status Updates provided to ELT

NOTE: It is NOT necessary in all cases for the Corporate Crisis

Management Team to be formed

1: Gather Team 2: Assess Damage / Situation3: Determine Regional Crisis Lead4: Needs Analysis from First Responders5: Determine Immediate Action Required6: Activate Communication Plan

Re gional Cris is Manage me nt Te am7: On Going Activities

7: On Going Activities

Initial Actio ns (bas e d on Time) On Go ing Actio ns (bas ed on Time )

Crisis Notification

Initial alert of an incident from iJet, media sources, local staff, etc

Has the incident impacted a Sun asset?

No

Yes

CMAT monitors the “smoldering” event with updates from iJET

Does the incident require building closure? CMAT

tasks SOC to send ENS alert

CMAT activates/ manages situation room.**

No

Yes

START HERE:

CMAT

SOC

** = CMAT may transfer situation room ownership to CCMT especially if multiple CMATs are involved in one incident.

ERAP

Have public authorities or property mgt alerted Sun about the incident with specific instructions?

YesNoSOC sends ENS alert to evacuate or shelter in place.

Critical Site List – Problem Statement

• Multiple criteria used for prioritizing site related activities• Little Consistency• Need for enterprise evaluation

Repeatable process (allows for changing conditions) ‏Logical and credibleAuditable

Critical Site List - Purpose

Short TermImplementation of FM Global property engineering recommendationsResource allocation at BU and site level for Crisis Management and Business Continuity activities

Long TermInput to various budget allocation decision makingGlobal location strategyInput to enterprise risk management processInput to Executive Leadership Team decision making

Critical Site List

Location GEO Revenue Mfg Score

1 1 AMER 9 1 46.14 119.12 0.00 0.00 15.00 13.742 2 APAC 6 30.76 71.83 0.00 9.32 10.00 9.304 3 EMEA 6 1 30.76 36.47 0.00 38.88 15.00 9.235 4 EMEA 1 5.13 94.38 0.00 0.00 10.00 8.353 5 EMEA 6 30.76 30.03 0.00 31.22 10.00 7.789 6 AMER 1 5.13 81.38 0.00 0.00 3.13 6.83

10 7 AMER 3 1 15.38 9.44 43.50 0.00 15.00 6.357 8 APAC 6 30.76 11.97 0.00 25.45 10.00 5.96

11 9 EMEA 4 1 20.51 21.45 20.46 0.00 15.00 5.9026 10 AMER 1 5.13 34.20 11.54 0.00 10.00 4.646 11 EMEA 3 15.38 0.00 0.00 34.17 10.00 4.54

13 12 AMER 5 1 25.63 10.61 0.00 0.00 15.00 3.918 13 AMER 6 1 30.76 1.18 0.00 0.00 15.00 3.58

15 14 AMER 6 1 30.76 0.00 0.00 0.00 15.00 3.4916 15 APAC 6 30.76 1.71 0.00 5.79 6.55 3.4212 16 EMEA 2 10.25 0.00 0.00 19.37 9.40 2.98

Sum: 71 0 0 0 0 0.0 364.00 523.77 75.50 164.20 184.08 100.00

2006 Rank

2007 Rank

No. of Tiered proc.

No. of mission critical apps

Mfg Site Annual Product Revenue ($billions per yr)

Building (1=

owned)

Replacement Cost

Self insured repl. cost exposure ($millions)

Tiered Processes

Score

US Data Center Score

GEM Hub Score

Repl. Cost Score

Weighted Score

Metrics - Baseline

CORPORATE COMPETENCIES Leadership 3.1 Employee Awareness 1 Business Continuity Program Structure 3.1 Program Pervasiveness 3.5 Metrics 2.6 Resource Commitment 4 External Coordination 2.6

Combined score for competencies 2.8

BUSINESS CONTINUITY PROGRAM CONTENT Incident Management/ Crisis Management 1.4 Information Technology 2.4 Security Management (physical and IT) 4 Business Recovery 2

Combined score for content 2.4

TOTAL SCORE 2.8

BCMM® Score

Metrics – Gap Analysis

Competency Measurement Current State Priority Effort

None 2 H

Program Structure Expand Standards PMO resources 3 H

Metrics 2 M

1 H

Gaps and/or Desired State

Dependencies & Implementation

NeedsEmployee Awareness

Training module for all employees

On line training module

Budget for training development

Standards and policies in place

Policies in place, some standards

Method of measuring level of preparedness

Red, green, yellow for BU plan completion

Enterprise measurement Implement BCMM®

Incident Management/ Crisis Management

Local BU plans integrated with corporate crisis management plan

No corporate crisis management plan

Corporate crisis managemen team

Implement cross functional team

Metrics – Road Map

COMPETENCY MEASUREMENT FY07 FY08 FY09

Leadership X

X

X

X

Metrics X On going

X

Map to regulations X

50% 50%

X

FAR FUTURE

Enterprise, “C” level, Exec. Sponsor who is engaged and supportive of BCP

Employee Awareness

Training requirements program defined for each criticality tier

Employee Awareness

Training module required for all employees and new employees

Program Pervasiveness

Formal governance programSome method of measuring level of preparedness

Resource commitment

BCP activities are included in performance plans

External Coordination

External Coordination

SLA ATOD and performance requirements in contracts with service providers and suppliers

Crisis Management

Enterprise CM strategy, policy and processes

Regional roll out 50%

Regional roll out 50%

Metrics - Results

Explanation for Increase

Leadership Increase in senior management supportEmployee Awareness Increase in training and BG presentationsBC Program Structure Increase in integration of plansProgram Pervasiveness More business groups have plans

MetricsResource Commitment More involvement in business groups

Corporate Competancies 2.8 3.8 4.6 17.4%External Coordination PMO activitiesCrisis Management More active CCMT and roll out to CMAT'sTechnical Recovery Improved metrics from Sun ITSecurity Management Improved integration with Crisis ManagementBusiness Recovery More business groups have plans

2.4 3.1 3.8 18.4%

Total Score 2.8 3.7 4.5 17.8%

Sept. 2006

July 2007

Sept. 2008

% Increase

Increase use of BCMM for BG metrics and enterprise metrics

Business Continuity Program Content

Next Phase – IT, Business Groups and Suppliers

• Information Technology> Awareness> Measurement

•Business Groups and Suppliers > Annual score card> Reduced score if not current> Specific questions only

Tool Implementation

• IJET – asset monitoring• MissionMode

– Automated Employee Notification– Virtual Command Center

• Cross Functional– Security– Human Resources and Privacy– Facilities– IT

Risk Analysis

Security – Physical security assessments every 3 yearsFM Global

Based on risk factorsRecommendations focused on protecting physical assets

Facilities – Physical structure and threat analysisEmergency Response – Physical and threat analysisIT – based on infrastructure dependenciesMultiple tools

Risk Summit - Objectives

• To understand full range of asset risk related activities

• To reduce redundancy and improve overall efficiency

• To understand and leverage various tools• To reduce frequency of touch points at local

sites

Risk Summit - Attendees

• Physical Security• Data Security• Risk Management (loss control)‏• Crisis Management• Facilities• Environmental Health and Safety• Product Labs

Risk Summit - Outcomes

• Global Methodology• Tools Assessment

– Inventory– Data Mapping and hierarchy– Consolidation

• Site Assessments– Identify overlaps– Automate and consolidate– Travel calendar

QUESTIONS ?

THANK YOU

karen.dye@sun.com