jeremy smith
TRANSCRIPT
©2005 Deloitte & Touche
Business Continuity Management.
Jeremy Smith, Practice LeaderEnterprise Risk Services
Caribbean Association of Indigenous Banks
November 2005
©2005 Deloitte & Touche
• Introduction to Business Continuity Management
• Lessoned Learned from Hurricane Ivan
• Summary
Agenda
©2005 Deloitte & Touche
Introduction to Business Continuity Management
©2005 Deloitte & Touche
Benefits of Business Continuity Management and Crisis Management Development period for a new problem.
Improvement in the curve due to early warning of problems
Number of I ncidents
Problem Understood
First Failure
Time
Key
Reactive feedback
Proactive Risk and Crisis Management
Losses
Allen, D.E. (1992)
Number of I ncidents
Problem Understood
First Failure
Time
Key
Reactive feedback
Proactive Risk and Crisis Management
Losses
Allen, D.E. (1992)
©2005 Deloitte & Touche
Legislation and regulations are focusing on protection of the entire financial market, escalating BCM as a key regulatory requirement.
BCM Regulatory Summary
Business Continuity Management Drivers• NASD Rules 3510, 3520 and NYSE 446• OCC and SEC White Paper• ICSA• CFTC Compliance Rule 2-38• SEC Policy Statement• FSA Paper 142 Consultation Paper
Risk Management Drivers• GLBA HIPAA, PIPEDA• Sarbanes-Oxley• Basel II
©2005 Deloitte & Touche
Backups
Disaster Recovery
Plan
Business Continuity
Management
Predictive Modeling
Resilience
Continuous Availability
Business Continuity
Plan
Bu
sin
ess V
alu
e
Vision
Business Continuity Planning
Business Continuity Management
Disaster Recovery
Backups
Disaster Recovery
Plan
Business Continuity
Management
Predictive Modeling
Resilience
Continuous Availability
Business Continuity
Plan
Bu
sin
ess V
alu
eB
usin
ess V
alu
e
VisionVision
Business Continuity Planning
Business Continuity Management
Disaster Recovery
Continuity has moved from Operational to Management Imperatives
©2005 Deloitte & Touche
A Framework for Business ContinuityThis approach assumes the development of a long range capability; more than just a plan.
DevelopDevelop ImplementImplement
Procedures
Resource Acquisition &
Implementation
Maintenance
Process ImprovementProcess Improvement
AnalyzeAnalyze
Current StateAssessment
Risk Assessment
Business Impact
Analysis
Governance
Training &Testing
Availability/Recoverability
Strategies
©2005 Deloitte & Touche
Lessons learned from Hurricane Ivan
©2005 Deloitte & Touche
Anatomy of a Storm
Naval Research Lab
©2005 Deloitte & Touche
Anatomy of a Storm (continued)
UN Economic Commission for Latin America and the Caribbean (ECLAC)
•Total damage US$3.5 billion 2 yrs Cayman GDP•Estimate US$95,625 per person
By Sector •53% Social US$1.88 billion•33% Production US$1.2 billion•14% Infrastructure US$420 million
©2005 Deloitte & Touche
Tips from Lessons Learned
Geographical Disbursement
Geographical Disbursement
• Separate primary and backup sites
• Investigate working from alternative jurisdictions
• Pre-clear permits and operation license with regulators, legal counsel, and relevant authorities
Dual-sited Organisations
Dual-sited Organisations
• Engineer fail-over and Disaster Recovery capability
• Test backup sites regularly
©2005 Deloitte & Touche
Tips from Lessons Learned
TransportationTransportation
Communication Plan
Communication Plan
• Develop strategies in advance (e.g. plane charters, reserved flights and vehicle fuel storage)
• Setup remote working ability
• Automated notification systems - multiple devices (cell, email, land line)
• Setup backup cellular networks (e.g. blackberries, PDA)
• Predefined/agreed messages
©2005 Deloitte & Touche
Service Level Agreements
Service Level Agreements
Plan Maintenance and Testing Critical
Plan Maintenance and Testing Critical
• Agreements in place (transportation, DR, etc)
• Conduct vendor risk assessments• Test recovery capability of
vendors
Tips from Lessons Learned
• Scenario driven crisis management and business recovery plans (evolve during major reorganisations/systems conversions)
©2005 Deloitte & Touche
Chain of CommandChain of
Command
Human AspectsHuman Aspects
• Crisis leadership that can quickly mobilize invocation procedures
• Pre-agreed roles/responsibilities and levels of authority
• Encourage counseling services• Succession planning• Assist employees personal
recovery• Engage remote working or non-
critical employees• Prepare for compassionate
situations (family bereavement)
Tips from Lessons Learned
©2005 Deloitte & Touche
A member firm ofDeloitte Touche Tohmatsu
Summary
©2005 Deloitte & Touche
In Summary
Financial Institutional Objective:
• Decide risk position as it relates to increasingly strict BC regulation and lessons learnt
• Seek clear demonstration of response & recovery capability from your organisation
• Ensure all critical operational and physical components are integrated into your approach
Finally…Evaluate your BC programme in its entirety
©2005 Deloitte & Touche
Member ofDeloitte Touche Tohmatsu