convergence and breaking down silos dye.pdfcrisis notification initial alert of an incident from...
TRANSCRIPT
Convergence and Breaking Down Silos
Karen Dye, CBCP, MBCIDirector, Global Crisis ManagementSun Microsystems, Inc.
Topics• Company Information• Crisis Management Organization• Evolution events and activities
– Crisis Management– Activation flow– Critical Site List– Metrics– Tools
• Risk Summit
Sun Microsystems, Inc.
• Multi-National computer products and services company
• $13.8 billion revenue FY08• 34,000 employees• Over 100 countries• Over 240 locations• Products 62% of revenue• Services 38% of revenue• Research and development = 13% of sales
Sun Culture
• Centralized policy making• De-centralized decision making• Outside US – Country Manager is Country
CEO• Traditional silos with few integrated
processes or collaborative responses• Highly flexible work force – “Open Work”
Business Resiliency – Not an Island
• Regional and Corporate Crisis Management Plans• Business Group Business Continuity Plans• IT Disaster Recovery• Emergency Response• Security Response• Facilities Response• Human Resources Support
2003 - 2004 2005 - 2006 2007 - 2008 2009 +
●Prof. BCP Mgr●Activa tion Exe r●Stre amline templa te s●Bottoms up
●BCP Audit●Exec. Champions●Pa ndemic Planning●Be ginning of CMT●Critica l S ite Lis t
●BCMM re sults●CMAT's●Notifica tion Sys tem●Security integra tion
●Risk Summit●Re duced S ta ff●Efficiency●Effe ctive ness
Evolution of Activities
Pandemic Planning
• Commenced Fall 2005• First cross functional crisis team• Defined roles and responsibilities• Now under Crisis Management umbrella
Crisis Management Functions
Team LeadEmergency ResponseGlobal Sales & ServiceLegalPrivacySecurityWork Environments (EH&S, Facilities, Open Work)
Employee CommunicationsFinanceHuman ResourcesMedia & Public RelationsRisk ManagementInformation TechnologyManufacturing
Crisis Management Structure
Local Emergency Response
Incident Commander
Local Emergency Response Personnel
Sun Incident Commander
BCP BU Executive Sponsor
BCP ExecutiveChampion
Cris is Management &Emergency Response
Champion
Cris is Management Program Office
Corporate Cris is Management Team
BU BCPManager
Plan DevelopmentCoordina tor
Recovery TeamLead
-Development Team Member
-Recovery Team Member
Cris is ManagementAreaTeam
Sun Site ER Team
-Security Manager-Opera tions Manager-EHS Manager-Other Members
Site ERCoordinator
At Time ofDis a s te r (ATOD)
At Time ofDis a s te r (ATOD)
Denotes Sun organization/pers onnel
Denotes external organization/pers onnel
Functional Support Teams
Crisis Flow
Loc al On Site 1 s t Re s ponde rs
Corporate Cris is Manage me nt Te am
Exe c utive Le ade rs hip Te am (ELT)
1: Reduce Loss of Life & Damage2: Notify Local Emergency Response Personal (i.e. Fire, Police, etc)3: Communicate to Regional & Corporate
1: Gather Team 2: Assess Damage / Situation3: Determine Corporate Crisis Lead (where appropriate)4: Needs Analysis from Regional5: Determine Immediate Action Required6: Activate Communication Plan
1: Initial Updated Provided On Going – Status Updates provided to ELT
NOTE: It is NOT necessary in all cases for the Corporate Crisis
Management Team to be formed
1: Gather Team 2: Assess Damage / Situation3: Determine Regional Crisis Lead4: Needs Analysis from First Responders5: Determine Immediate Action Required6: Activate Communication Plan
Re gional Cris is Manage me nt Te am7: On Going Activities
7: On Going Activities
Initial Actio ns (bas e d on Time) On Go ing Actio ns (bas ed on Time )
Crisis Notification
Initial alert of an incident from iJet, media sources, local staff, etc
Has the incident impacted a Sun asset?
No
Yes
CMAT monitors the “smoldering” event with updates from iJET
Does the incident require building closure? CMAT
tasks SOC to send ENS alert
CMAT activates/ manages situation room.**
No
Yes
START HERE:
CMAT
SOC
** = CMAT may transfer situation room ownership to CCMT especially if multiple CMATs are involved in one incident.
ERAP
Have public authorities or property mgt alerted Sun about the incident with specific instructions?
YesNoSOC sends ENS alert to evacuate or shelter in place.
Critical Site List – Problem Statement
• Multiple criteria used for prioritizing site related activities• Little Consistency• Need for enterprise evaluation
Repeatable process (allows for changing conditions) Logical and credibleAuditable
Critical Site List - Purpose
Short TermImplementation of FM Global property engineering recommendationsResource allocation at BU and site level for Crisis Management and Business Continuity activities
Long TermInput to various budget allocation decision makingGlobal location strategyInput to enterprise risk management processInput to Executive Leadership Team decision making
Critical Site List
Location GEO Revenue Mfg Score
1 1 AMER 9 1 46.14 119.12 0.00 0.00 15.00 13.742 2 APAC 6 30.76 71.83 0.00 9.32 10.00 9.304 3 EMEA 6 1 30.76 36.47 0.00 38.88 15.00 9.235 4 EMEA 1 5.13 94.38 0.00 0.00 10.00 8.353 5 EMEA 6 30.76 30.03 0.00 31.22 10.00 7.789 6 AMER 1 5.13 81.38 0.00 0.00 3.13 6.83
10 7 AMER 3 1 15.38 9.44 43.50 0.00 15.00 6.357 8 APAC 6 30.76 11.97 0.00 25.45 10.00 5.96
11 9 EMEA 4 1 20.51 21.45 20.46 0.00 15.00 5.9026 10 AMER 1 5.13 34.20 11.54 0.00 10.00 4.646 11 EMEA 3 15.38 0.00 0.00 34.17 10.00 4.54
13 12 AMER 5 1 25.63 10.61 0.00 0.00 15.00 3.918 13 AMER 6 1 30.76 1.18 0.00 0.00 15.00 3.58
15 14 AMER 6 1 30.76 0.00 0.00 0.00 15.00 3.4916 15 APAC 6 30.76 1.71 0.00 5.79 6.55 3.4212 16 EMEA 2 10.25 0.00 0.00 19.37 9.40 2.98
Sum: 71 0 0 0 0 0.0 364.00 523.77 75.50 164.20 184.08 100.00
2006 Rank
2007 Rank
No. of Tiered proc.
No. of mission critical apps
Mfg Site Annual Product Revenue ($billions per yr)
Building (1=
owned)
Replacement Cost
Self insured repl. cost exposure ($millions)
Tiered Processes
Score
US Data Center Score
GEM Hub Score
Repl. Cost Score
Weighted Score
Metrics - Baseline
CORPORATE COMPETENCIES Leadership 3.1 Employee Awareness 1 Business Continuity Program Structure 3.1 Program Pervasiveness 3.5 Metrics 2.6 Resource Commitment 4 External Coordination 2.6
Combined score for competencies 2.8
BUSINESS CONTINUITY PROGRAM CONTENT Incident Management/ Crisis Management 1.4 Information Technology 2.4 Security Management (physical and IT) 4 Business Recovery 2
Combined score for content 2.4
TOTAL SCORE 2.8
BCMM® Score
Metrics – Gap Analysis
Competency Measurement Current State Priority Effort
None 2 H
Program Structure Expand Standards PMO resources 3 H
Metrics 2 M
1 H
Gaps and/or Desired State
Dependencies & Implementation
NeedsEmployee Awareness
Training module for all employees
On line training module
Budget for training development
Standards and policies in place
Policies in place, some standards
Method of measuring level of preparedness
Red, green, yellow for BU plan completion
Enterprise measurement Implement BCMM®
Incident Management/ Crisis Management
Local BU plans integrated with corporate crisis management plan
No corporate crisis management plan
Corporate crisis managemen team
Implement cross functional team
Metrics – Road Map
COMPETENCY MEASUREMENT FY07 FY08 FY09
Leadership X
X
X
X
Metrics X On going
X
Map to regulations X
50% 50%
X
FAR FUTURE
Enterprise, “C” level, Exec. Sponsor who is engaged and supportive of BCP
Employee Awareness
Training requirements program defined for each criticality tier
Employee Awareness
Training module required for all employees and new employees
Program Pervasiveness
Formal governance programSome method of measuring level of preparedness
Resource commitment
BCP activities are included in performance plans
External Coordination
External Coordination
SLA ATOD and performance requirements in contracts with service providers and suppliers
Crisis Management
Enterprise CM strategy, policy and processes
Regional roll out 50%
Regional roll out 50%
Metrics - Results
Explanation for Increase
Leadership Increase in senior management supportEmployee Awareness Increase in training and BG presentationsBC Program Structure Increase in integration of plansProgram Pervasiveness More business groups have plans
MetricsResource Commitment More involvement in business groups
Corporate Competancies 2.8 3.8 4.6 17.4%External Coordination PMO activitiesCrisis Management More active CCMT and roll out to CMAT'sTechnical Recovery Improved metrics from Sun ITSecurity Management Improved integration with Crisis ManagementBusiness Recovery More business groups have plans
2.4 3.1 3.8 18.4%
Total Score 2.8 3.7 4.5 17.8%
Sept. 2006
July 2007
Sept. 2008
% Increase
Increase use of BCMM for BG metrics and enterprise metrics
Business Continuity Program Content
Next Phase – IT, Business Groups and Suppliers
• Information Technology> Awareness> Measurement
•Business Groups and Suppliers > Annual score card> Reduced score if not current> Specific questions only
Tool Implementation
• IJET – asset monitoring• MissionMode
– Automated Employee Notification– Virtual Command Center
• Cross Functional– Security– Human Resources and Privacy– Facilities– IT
Risk Analysis
Security – Physical security assessments every 3 yearsFM Global
Based on risk factorsRecommendations focused on protecting physical assets
Facilities – Physical structure and threat analysisEmergency Response – Physical and threat analysisIT – based on infrastructure dependenciesMultiple tools
Risk Summit - Objectives
• To understand full range of asset risk related activities
• To reduce redundancy and improve overall efficiency
• To understand and leverage various tools• To reduce frequency of touch points at local
sites
Risk Summit - Attendees
• Physical Security• Data Security• Risk Management (loss control)• Crisis Management• Facilities• Environmental Health and Safety• Product Labs
Risk Summit - Outcomes
• Global Methodology• Tools Assessment
– Inventory– Data Mapping and hierarchy– Consolidation
• Site Assessments– Identify overlaps– Automate and consolidate– Travel calendar
QUESTIONS ?