national fire protection association’s · 2020. 3. 13. · • codes and standards numbered: nfpa...
TRANSCRIPT
National Fire Protection Association’s
Contribution to
Business Continuity Strategies
about me
2
1. Retired AVP Senior Business Risk Consultant
2. FM Global Trained: 1. 35 Years Service
2. Founder Member of the Business Risk Consulting Group (BRCG) for FM Global.
3. Senior Account Engineer with Arkwright International/FM Global
4. Field Engineer/Account Engineer with Factory Mutual International (FMI)
3. Industrial Experience
1. Servicing FM Global’s Corporate Clients from Account Engineering & BRCG responsibilities.
2. Conducted Business Impact Analysis (BIA) for pharmaceutical, mining, manufacturing, media,
financial services, defence, medical, chemical, power generation…industries.
3. Quantified financial risks for company’s internal & external global supply chains
4. Contributed to Business Continuity training programmes & seminars
5. Reviewed Business Continuity Plans for FM Global clients
4. Professionally Qualified to Masters Degree Level 1. Member Chartered Management Institute (MCMI)
2. Chartered Chemical Engineer (CEng)
3. Fellow Institution of Chemical Engineers (FIChemE)
4. Certified Business Continuity Practitioner (CBCP) DRII (Member Lapsed)
5. Affiliate Member of Business Continuity Institute (BCI) (Current)
3
Business Continuity Management Survey
of 1,021 Managers from the
Chartered Management Institute
2007-2012
the introduction
4
Business Continuity Management Survey
Chartered Management Institute 2007-2012
% Managers
Anticipating
Specific Causes
of Disruption
the introduction
0% 10% 20% 30% 40% 50% 60% 70% 80%
School/childcare closures
Pressure group protest
Industrial action
Customer health/product safety incident
Environmental incident
Supply Chain disruption
Transport disruption
Employee health and safety incident
Loss of water/sewerage
Malicious Cyber Attack
Negative publicity/coverage
Extreme Weather (Flood/Winds)
Terrorist Damage
Damage to Corporate image/brand/reputation
Loss of Electricity/Gas
Fire
Loss of People
Loss of Skills
Loss of Access to Site
Loss of Telecommunications
Loss of IT
5
Business Continuity Management Survey
Chartered Management Institute 2007-2012
the introduction
0% 10% 20% 30% 40% 50% 60% 70% 80%
School/childcare closures
Pressure group protest
Industrial action
Customer health/product safety incident
Environmental incident
Supply Chain disruption
Transport disruption
Employee health and safety incident
Loss of water/sewerage
Malicious Cyber Attack
Negative publicity/coverage
Extreme Weather (Flood/Winds)
Terrorist Damage
Damage to Corporate image/brand/reputation
Loss of Electricity/Gas
Fire
Loss of Skills
Loss of People
Loss of Access to Site
Loss of Telecommunications
Loss of IT
% Managers
Actual
Specific Causes
of Disruption
6
Business Continuity Management Survey
Chartered Management Institute 2007-2012
the introduction
0% 10% 20% 30% 40% 50% 60% 70% 80%
School/childcare closures
Pressure group protest
Industrial action
Customer health/product safety incident
Environmental incident
Supply Chain disruption
Transport disruption
Employee health and safety incident
Loss of water/sewerage
Malicious Cyber Attack
Negative publicity/coverage
Extreme Weather (Flood/Winds)
Terrorist Damage
Damage to Corporate image/brand/reputation
Loss of Electricity/Gas
Fire
Loss of People
Loss of Skills
Loss of Access to Site
Loss of Telecommunications
Loss of IT
Anticipated Actual
7
12 month record of,
number and impact
by cause of
disruptive incidents
(2011-12)
the introduction
8
% of Organisations with Business Continuity Plans 2002-12
the introduction
9
the introduction
1. The actual cause of a “major” disruption cannot be
reliably predicted at any one time, hence the adopted
measures of “likelihood” and/or “probability” of
occurrence.
2. The meaning of a “major” impact to a business has
different significance, depending on who is asked.
3. The gradual increase in Business Continuity Plans is
primarily being attributed to corporate governance,
legislation/regulation and customer demands.
Summary of Key Findings:
10
my objectives
1. To briefly summarise the origins of the NFPA business continuity
standard and to review the approach as a “concept for business
survival”.
2. To outline a bespoke Business Impact Analysis (BIA) which can align
Business Continuity activity with the entity’s business requirements.
3. To explore where NFPA’s fire protection and business continuity
activities could contribute to the continuity strategies for a company’s
overall Business Continuity Management Systems (BCMS) programme.
11
my objectives
What this presentation is NOT:
1. A debate on all Business Continuity standards.
2. A discussion on risk probabilities.
3. A detailed financial analysis of a company
4. A preparation of a Business Continuity Plan.
5. A “worst-case scenario” study of an incident in a particular industry
6. A full list of Business Continuity definitions.
7. A complete description of what is required for a Business Continuity
Management System (BCMS), or the BCM Life-Cycle
8. A review of Emergency Management/Disaster Recovery systems
12
1. Business Continuity’s Development
a. the origins
2. Bespoke Business Impact Analysis
a. the concept
b. the activity
c. the analysis
d. the benefits
3. Business Continuity Strategies
a. the summary
b. the conclusion
the agenda
13
• Codes and Standards Numbered: NFPA 1 thru NFPA 8506
• “Established in 1896, NFPA develops, publishes, and
disseminates more than 300 consensus codes and
standards that are designed to minimize the risk and effects
of fire by establishing criteria for building, processing,
design, service, and installation in the United States, as well
as many other countries.
• Virtually every building, process, service, design, and
installation in society today is affected by NFPA documents.”
the origins
NFPA’s Contribution to Fire Protection, Health and Safety
14
NFPA’s Contribution to Fire Protection, Health and Safety
the origins
Timeline Status
1995 • NFPA 1600 issued as first standard on disaster/emergency response
2000 • Updated to include “Total Programme Approach”
2004 • Updated terminology and reformatted text
2007 • Expanded conceptual framework for disaster/emergency management & Business Continuity programmes.
• Prevention, risk management, security, loss prevention
2010 • Reordered & expanded Programme Management. • Addressed planning, implementation, testing & exercising, programme
improvement • Required Business Impact Analysis
2013 • Wide array of changes. • Alignment with CSA Z1600 & DRII Professional Practices
15
the origins
NFPA 1600
Purpose Application
Business Continuity adoption:
• Predominant standard for US & Department of Homeland Security. (DHS).
• Used in Europe, Latin America, Asia, Chile, China, Colombia, Ecuador, Korea, Thailand T&T.
Primary Focus: Mid-size to large public not for profit and private sector organisations
Primary objective: High level standard defining the essential elements of an emergency management and business continuity program .
Strategic Objectives based on:
• Prevention & mitigation of vulnerabilities to people, property, environment, business enterprise.
• Programme constraints, operational experience and cost benefit analysis from detailed analysis of all threats, hazards & causes .
Overall Outcome Procedures for documenting responses primarily according to laws and regulations.
“Disaster/Emergency Management. An ongoing process to
prevent, mitigate, prepare for, respond to, maintain continuity
during, and recover from an incident that threatens life, property,
operations, or the environment.
Business Continuity. An ongoing process to ensure that the
necessary steps are taken to identify the impact of potential
losses and maintain viable recovery strategies, recovery plans,
and continuity of services.”
NFPA/DRII Definitions
the origins
Disaster/Emergency Management & Business Continuity Auditor Training
17
the origins
NFPA 1600 IS A BCM STANDARD …
1. …emphasising programme policies and management components, provides
guidelines that address the analysis, planning and implementation of the core
elements of crisis management, business resumption planning and IT disaster
recovery to manage the impact of disasters.
2. …legal compliant but less concerned with the business requirements of the entity
18
the origins
NFPA 1600 IS A BCM STANDARD …
1. …emphasising programme policies and management components, provides
guidelines that address the analysis, planning and implementation of the core
elements of crisis management, business resumption planning and IT disaster
recovery to manage the impact of disasters.
2. …legal compliant but less concerned with the business requirements of the entity
3.3.3 Business Impact Analysis.
A management level analysis that identifies, quantifies,
and qualifies the impacts resulting from interruptions or
disruptions of an entity’s resources.
The analysis may identify time-critical functions, recovery
priorities, dependencies, and interdependencies so that
recovery time objectives can be established and
approved.
the origins
NFPA® 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2013 Edition
5.3.2 The BIA shall evaluate the potential impact resulting from interruption or disruption of
individual functions, processes, and applications.
5.3.3* The BIA shall identify those functions, processes, infrastructure, systems, and
applications that are critical to the entity and the point in time [recovery time objective
(RTO)] when the impact of the interruption or disruption becomes unacceptable to the
entity.
5.3.4 The BIA shall identify dependencies and interdependencies across functions,
processes, and applications to determine the potential for compounding impact in the
event of an interruption or disruption.
5.3.5* The BIA shall evaluate the potential loss of information and the point in time
[recovery point objective (RPO)] that defines the potential gap between the last
backup of information and the time of the interruption or disruption.
5.3.6* The BIA shall be used in the development of recovery strategies and plans to support
the program.
NFPA® 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2013 Edition
the origins
the origins
NFPA 1600 States the BIA should include 3 main components:
1. Identify the lines of process flow (i.e., material flow, information flow,
people movement, cash flow) and time constraints.
2. Identify the interruption potentials that describe the financial,
regulatory, customer, or operational impacts.
3. Identify the entity’s dependency on technology infrastructure.
NFPA® 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2013 Edition
Typical observations from my review of Business Continuity Plans:-
1. Plans lacked strategic direction from a Senior Management
Business Continuity Policy.
2. Plans had no documented ownership, or demonstrated practical
support, by appointed Senior Management at Board Level
3. Plans not aligned with business requirements:
a. lacked business objectives,
b. omitted customer requirements,
c. ignored market demands to maintain a key customer base,
d. omitted actions to assure delivery of products and/or services.
4. Plans predominantly based on “worst-case” scenarios identified
from specific causes of disruption and estimated time required to
repair damage and restore operations to normal levels.
5. Plans contained far too much detail and appeared onerous to
maintain current.
22
the origins
23
• the origins
• the concept
• the activity
• the analysis
• the benefits
• the summary
• the conclusion
the agenda
24
Business Continuity Survey Question What the Questions should have Asked
1. How will we do business if our critical systems are rendered inoperable?
How can we maintain delivery of our products/services to achieve survival income?
2. How can we resume operations quickly following a business disruption?
Within what time do we need to recover critical operations to achieve survival income?
3. Are there any particular vulnerable aspects to our business that we can eliminate as opposed to harden?
What strategy is required to reduce our dependency on internal and external critical activities?
4. What are the pieces of business that are so critical that a major investment in hardening or redundancy would be justified?
Which products/services must we deliver to key customers to maintain survival income during recovery of operations?
5. Despite taking proper precautions are we still vulnerable to disruption due to outmoded infrastructure in the region?
????
the concept
What is
wrong with
these
questions?
25
Business Continuity Survey Question What the Questions should have Asked
1. How will we do business if our critical systems are rendered inoperable?
How can we maintain delivery of our products/services to achieve survival income?
2. How can we resume operations quickly following a business disruption?
Within what time do we need to recover critical operations to achieve survival income?
3. Are there any particular vulnerable aspects to our business that we can eliminate as opposed to harden?
What strategy is required to reduce our dependency on internal and external critical activities?
4. What are the pieces of business that are so critical that a major investment in hardening or redundancy would be justified?
Which products/services must we deliver to key customers to maintain survival income during recovery of operations?
5. Despite taking proper precautions are we still vulnerable to disruption due to outmoded infrastructure in the region?
????
the concept
the concept
BUSINESS SURVIVAL IS PRIMARILY ABOUT MANAGING CASHFLOWS:
1. Maintaining optimum cash-flows over time during
periods of:
• …unplanned disruption to normal operations
• …recovery to product/services delivery “as usual”
2. Ensuring future growth in income by:
• …supporting present & future customers
• …development of future key markets
• …reflecting changes to the business environment
• …complying with legislation and regulation
the concept
MANAGEMENT MUST BE PRO-ACTIVE IN MANAGING CASHFLOWS:
Management need to…
• …establish business continuity objectives that must be achieved over time to
maintain sufficient cash flows for the business in the event of any disruption,
• …approve appropriate Business Continuity strategies to achieve the objectives
27
28
TIME IS MONEY!!
the concept
Minimum level of operation for business survival
Normal level of operation
Time
Serv
ice
Capacity
(Cashflow
)
100%
0%
Incident Response Plan
immediate short term
Phase 1
Disaster Recovery Plan
short to medium term
Phase 2
Business Continuity Plan (BCP)
medium to long term
Phase 3
Unplanned operational disruption & restoration
Decision to invoke BCP
Maximum Acceptable Outage (MAO)
Increasing size of incident
29
Business
Continuity
Strategy
Objective
the concept
30
…Management pre-determines what
needs to be managed right to
achieve the objectives…
the concept
31
Causes of Physical Disruption
Pre-Disruption Mitigating BC Strategies
Natural Catastrophes
• Earthquake • Enhanced structural design standards
• Tsunami • Height of tidal levees at susceptible locations
• Flood • Maintenance, dredging, adequate flood walls, barriers
• Windstorm, hurricanes, tornados
• Secure buildings & structures to National Standards • Adjust ground level gradients, add drainage
Operational Failure
• Loss of Equipment Alternate providers and/or shared resources
• Mechanical breakdown Regular maintenance, spare parts policy, duplication
• Property damage Fire sprinklers, water supply, fire walls, non-combustible construction, fixed extinguishers, hazard reduction
• Construction collapse Building design codes
the concept
32
Causes of Non-Physical Disruption
Pre-Disruption Business BC Strategies
Reduced Product Sales
• supplier solvency • product substitution, replacement, duplication, dual sourcing
• increased market
competition
• discount options, target specific markets
• end of product life-cycle • product mix, product churn, new product development
• out-dated business
model
• expand distribution channels (national vs international),
implement internet access, next day delivery….
Operational Failure
• obsolete equipment • phased replacement & updating, standardisation
• loss of key peoples skills • succession planning
• poor management
practises
• management team skills, Merger & Acquisition (M&A), take-
over
• regulation/legal violation • implement sound relationships with governing authorities
the concept
33
Consequences of Disruption Cost of Largest Single Disruption in Supply Chain
• Loss of productivity • Customer complaints received
Increased cost of working • Service outcome impaired • Loss of revenue • Damage to brand/reputation/image • Product release delay • Product recall/withdrawal • Payment of service credits • Share price fall • Stakeholder/shareholder concern • Delayed cash flows • Expected increase in regulatory scrutiny • Loss of regular customers • Fine by regulator for non-compliance
Total Cost
%
Survey Respondents
Greater than €1mill
€500,000-€1mill
€250,000-€500,000
€50,000-€250,000
<€50,000
9%
9%
19%
5%
59%
the concept
BCI Supply Chain Survey 2013
34
the concept
Stage 1: Understand the Business
• Management establish strategic business continuity objectives
– Agree minimum cash-flow required for survival.
– Identify key markets and customers essential to the business.
– Establish the Maximum Acceptable Outage (MAO) for key products
and/or service deliverables.
Stage 2: Develop Strategies for Survival
• Management approve measures for resilience.
• Management approve strategies for continuity.
Stage 3: Implement the Strategies
• Protect physical assets for internal & external resources.
• Enhance resilience of internal & external supply chains for key
deliverables, as required.
35
• the origins
• the concept
• the activity
• the analysis
• the benefits
• the summary
• the conclusion
the agenda
Sample
interdependency
flow diagram for
Corporate
products &
services
the activity
36
the activity
37
Niche Products Premium Products Commodity Products
Product Categories
Product Branding
Markets Served
Consumer Profiles
Sample Structure for a Company’s Product/Services
Firm Infrastructure – Assets & Resources
Management Philosophy
Information Technology & Communications
Business Continuity Management
Inbound
Logistics
Finished
Good or
Process
Control
Manu-
facturing or
Processing
Operations
Outbound
Logistics
Marketing
Sales &
Service
C
U
S
T
O
M
E
R
S
S
U
P
P
L
I
E
R
S
Profit
the activity
MISSION CRITICAL ACTIVITIES (MCA)
38
the activity
39
Understanding the Business Activity Focus
Marketing Sales, Sales Recovery & Customer Profiles
Finance Sales/Insurable Gross Profit/Business
Income
Operations Activity dependency on income stream at
each location
Suppliers & Purchasing Key product service dependency
IT/IS/ICT Dependency on information/data for
delivery
Business Continuity & Disaster
Recovery Management
Status and relevance for business needs.
• the origins
• the concept
• the activity
• the analysis
• the benefits
• the summary
• the conclusion…
the agenda
40
Sample Financial Dependency Matrix For 12 Months Trading
the analysis
41
42
the analysis
Market Recovery
Profile
Assumed Period of Disruption
Percentage of the product revenue anticipated in each year following restoration of
supply, as a percentage of the revenue in the year prior to
the disruption.
Year 1 Year 2 Year 3
3 months
6 months
9 months
12 months
15 months
18 months
21 months
24 months
Impact vs Time Recovery Profile for Strategic Income Streams
25%
50%
75% 100%
50%
65%
83%
0%
20%
40%
60%
80%
100%
120%
140%
160%
180%
200%
3 6 9 12
Months of Disruption
Ca
sh
-flo
w Im
pa
ct (%
An
nu
al I
nco
me
)
Production Impact Market Impact
the analysis
“Business Continuity
Strategic Objective”
mitigated impact
Business Continuity
Strategies
“Worst case” unmitigated impact
43
44
• the origins
• the concept
• the activity
• the analysis
• the benefits
• the summary
• the conclusion
the agenda
1. Understand the Business & Establish Continuity Objectives The Business Impact Analysis establishes bases for key continuity objectives:
Product delivery criteria (MAO) for strategic market & income streams,
Identifies critical dependencies through internal and external supply chains
Identifies “Mission Critical Activities” (MCA) for resources, activities and processes,
Quantifies the financial dependency on internal & external resources & suppliers
2. Continuity Strategies Pre-plan strategies required to achieve continuity objectives:
Know what options are required to achieve optimum cash-flow
Identifies “What needs to be managed right” to achieve objectives
Protects key physical property assets from physical damage
Reviews options to enhance resilience of critical activities and key suppliers
the benefits
45
the benefits
1. Costs for Business Continuity Strategies are spent where there is added value:
Enhances the business of the company through improved resilience
Improves & enhances alignment with normal business requirements
Protects critically dependent physical assets within the supply chains
Achieves minimum cash-flow for the business, whatever the cause of the
disruption may be.
Costs incurred can enhance normal business practise.
2. Integrating Business Continuity Management Systems supports Management:
Improves product and/or service delivery to the company’s customer
Reduces costs of business continuity
Provides competitive advantage for the business from demonstrating added
resilience.
46
47
• the origins
• the concept
• the activity
• the analysis
• the benefits
• the summary
• the conclusion
the agenda
48
How can NFPA make a contribution to Business Continuity Strategies?
the summary
“NFPA 1600 & 13 Codes & Standards provide a consistent quality standard for a
company to achieve strategic Business Continuity objectives….”
1. What information should be gathered in a BIA to establish strategic objectives.
2. Guidance for management to assess what strategies should be implemented to
achieve the strategic objectives.
NFPA 13 contributes to Business Continuity strategies by:
1. Providing a quality standard for the implementation of physical protection where
required as a solution for identified Business Continuity strategies.
NFPA 1600 contributes to Business Continuity strategies by advising on:
49
• the origins
• the concept
• the activity
• the analysis
• the benefits
• the summary
• the conclusion
the agenda
50
The National Fire Protection Association’s Business Continuity
activities and expertise directly support a company’s business
continuity strategies through:
a) The specification of the content requirements of a
Business Impact Analysis in NFPA 1600.
b) Offering qualified expertise and quality products and
services through NFPA 13 where the protection of
physical assets is deemed a solution to a continuity
strategy.
the conclusion
51
I have:
1. Summarised findings from a Business Continuity survey
2. Briefly explored the origins of the NFPA’s Business Continuity Standard
and appropriateness as a “concept for business survival”
3. Described a BIA process which can help establish business continuity
strategic priorities and objectives that will enhance the delivery of the
entity’s products and services as an aid to business survival.
4. Identified where NFPA’s core competences in the development of
specific Codes and Standards can be applied to support an entity’s
business continuity strategies
the conclusion
52
Causes of Business Disruption
Sample Cash-flow BC Strategies
Reduced Product Sales
• supplier solvency • product substitution, replacement, duplication, dual sourcing
• increased market
competition
• discount options, target specific markets
• end of product life-cycle • product mix, product churn, new product development
• out-dated business
model
• expand distribution channels (national vs international),
implement internet access, next day delivery….
Operational Failure
• obsolete equipment • phased replacement & updating,
• loss of key peoples skills • succession planning
• poor management
practises
• management team skills, Merger & Acquisition (M&A), take-
over
• regulation/legal violation • implement sound relationships with governing authorities
one final thought
53
Causes of Business Disruption
Sample Cash-flow BC Strategies
Reduced Product Sales
• supplier solvency • product substitution, replacement, duplication, dual sourcing
• increased market
competition
• discount options, target specific markets
• end of product life-cycle • product mix, product churn, new product development
• out-dated business
model
• expand distribution channels (national vs international),
implement internet access, next day delivery….
Operational Failure
• obsolete equipment • phased replacement & updating,
• loss of key peoples skills • succession planning
• poor management
practises
• management team skills, Merger & Acquisition (M&A), take-
over
• regulation/legal violation • implement sound relationships with governing authorities
one final thought