Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Chris Gould - BCM case
1. Is there a need to invest in BCM? October 2011 www.pwc.com
2. The Business Case 01 There are many reasons for taking BCM seriously – but not all of them are relevant to our market.
3. We are facing increasingly evolving risks which impact our businesses Integrated supply chains International disaster(Japan) Outsourcing Off shoring Credit crunch Local production RegionalUnrest (Caucuses) Complexity Pandemic flu War against terror IT failure Fire Over time 3
4. And this becomes more complex as organizational models evolve Classic organisation Function outsourcing Business Process outsourcing Brand & franchise model Strategy Strategy Strategy Strategy Brand Brand Brand Brand Governance Governance Governance Governance OpCo OpCo OpCo OpCo OpCo OpCo OpCo Process Process Process Process Process Site Site Site Site Site Site Site Site Site Site Site Site Site Site Site Site Site Site Site Site Payroll Payroll Logistics Logistics IT IT 4
5. Does it matter? Damage to company reputation Loss of market value Loss of market share A breach in industry regulation Supply chain disruption Loss of business opportunities 5
6. High impact, low probability KNOWN RISKS EMERGING RISKS UNKNOWABLE RISKS Happened before Cause Impact Probability Several competing plausible models as to how reality might unfold Unforeseeable Have not yet emerged e.g. earthquake, major debtor default, supplier failure e.g. major terrorist act, climate change e.g. volcanic ash cloud? “Black swans” 6
7. Does it matter?How value is destroyed in companies 39% 28% Demand shortfall Cost overrun Customer retention Operating controls Integration problems Poor capacity management Pricing pressure Supply chain issues Regulation Employee issues incl. fraud R&D Bribery and corruption Strategic Operational Industry or sector downturn Regulation Commodity prices 19% 14% JV or partner losses Macroeconomic Debt and interest rates Political issues Poor financial management Legal issues Asset losses Hazard Financial Terrorism Goodwill and amortisation Natural disasters Accounting problems 7
8. The case for Business Continuity ManagementImpact on value Companies with a positive approach to business continuity Other Companies Recoverers Management skills and response Stakeholder communication Time(250 days) Stakeholder value Insurance alone is inadequate Plans need to be implemented Non-recoverers Source: Knight / Pretty 1996 – 2010 8
9. BCM cause and effect Colour choice review – note: next slide is an alternative version Events / Threats Business impacts Pressure for BCM Disease SARS, Pandemic flu, BSE Loss of staff Governance Sarbanes Oxley, Basel II Terrorism 9/11, 7/7 Infrastructure disruption Civil legislation CCA Catastrophes New Orleans, Floods, Earthquakes Loss of assets Trading partners Clients, Suppliers System Failure IT failure, Safety systems Loss of reputation Markets Insurance, Money Fraud Enron, Leeson Loss of supply Stakeholders Investors, Staff Loss of revenue, Loss of competitive position 9
10. BCM cause and effect Events / Threats Disease SARS, Pandemic flu, BSE Terrorism 9/11, 7/7 Catastrophes New Orleans, Floods, Earthquakes System Failure IT failure, Safety systems (Hatfield) Fraud Enron, Leeson Business impacts Pressure for BCM Loss of staff Governance | Sarbanes Oxley, Basel II Infrastructure disruption Regulations| e.g. CBR Loss of assets Trading partners | Clients, Suppliers Loss of reputation Markets | Insurance, Money Loss of supply Stakeholders | Investors, Staff Loss of revenue, Loss of competitive position 10
12. What are we talking about here?Definitions “A holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand andvalue-creating activities.” BS25999 Part 1 Code of Practice 12
13. What is good practice? BS25999 (Pt 1 & 2) BS25777 FSA Good Practice Guide ISO 27001 BASEL II/III Sarbanes Oxley Data Protection 13
38. Five questions to ask yourselves 1 Are the plans fit for purpose and easy to use? Are they up to date? Do we have the right plans? 2 Are they involved? Do they know the recovery priorities, what will happen in a crisis? Who does what and where? Is the board on top of this? 3 Does this link back to the board? Have accountabilities and assurance been defined? Is the governance right? 4 Have the plans been rehearsed effectively and regularly? Will the plans work? 5 Are sensible choices being made between expenditure on different risk treatments? Can people explain how much is being spent on resilience and why? Are we spending wisely? 15
40. StrategyNext we need to determine options for recovery strategies and facilitate the select of the most appropriate to ensure your investment in BCM is targeted appropriately. Note that some strategies may require additional work and expenditure outside the scope of this project (for example, if additional IT recovery capabilityis needed). PlanningDuring the programme you need to develop simple effective crisis management, business continuity and incident response plans that are easy to use and simple to maintain. These plans shouldbeowned and maintained by those who will actually use them. Rehearsal & Validation – Embedding capabilityCompleted plans and the response teams should be exercised – this is vital to ensure they work as expected. This will outline the programme required for exercising and also to implement the BCM system required to ensure that the plans are kept up to date. Project ManagementNeed to ensure a pragmatic approach sensitive to your culture and requirements. Need to work closely with the audit and risk management personnel staff to ensure that there is consistency across these activities. GovernanceBCM must be integrated with your wider risk management activity, and recommend the necessary governance for BCM . It is imperative to select the best team structure to plan and assure your BCM capability and to respond in a crisis. AnalysisIn developing your BCM capability, you need to will establish a clear understanding of your organisation its structures and systems, internal and external interdependencies, suppliers and stakeholders, and the resources required to recover your business quickly following disruption. This information is essential for BCM to support prioritisation, planning and strategy. Project components 17
41. Project Management Policy and framework BC Management System Incident Management / Crisis Plan Process Recovery Plans Business Continuity Plans Programme Design Exercising Review Governance Governance Dependency Plans Training and Awareness Strategic Business Impact Analysis Department BIA BCM Strategy Understand Plan Embed Project work streams 18
76. Key Key Example Company Management Information & Control Retail, Trading & Training Services Fund Raising Procurement Influencing Marketing ACEnt Call in time Direct marketing campaigns Sourcing of goods & services Media and PR DD payments Response centre service Shops ability tostill trade Public affairs Gifted housing Cash don Warehouse supply Legacy admin International Hardship Grants Gift aid Events mgt I&A L1/L2 Warrington dispatch Customer queries / complaints Corporate partnerships I&A L3 Stock collection Handy van Marketing material Relations with trusts / major givers Digital Incl. Area Mgr. support 3rd Party Providers Bond Team Spirit Charityshare liaison Eldercare ACEnt providers Finance (GF) Bank Reconciliations Pay Suppliers Stat. Reports Mgmt. Inform. Albany Software E-mail Raisers Edge Telephony Servers Great Plains CRM db IT Systems (GF) Security Postal Services Switchboard Cleaning/Waste Mgmt Mtce & repairs Premises & Facilities (GF) Internal Comms Health & Safety Payroll Expenses Policy/ HR advice People & Performance Governance for Statutory Books Broker / Ins company/Loss adjustors liaison LEGAL Processes Legal SummaryKey activities 23
77.
78. BCM has to speak to senior management so that they become engaged and set the right priorities.
79. This is a heat map for key business processes – this is designed to be quickly understood within the context of a management workshop. This is an example of how PwC makes BCM assessable and relevant to the business.Call centre Advice service PartnerRelations Regulatory Reporting Impact Recovery Time Objectives * Natural controls have beentaken into consideration 24
80. How to Approach BCM Programmes & Governance for complex organizations 04
81. Fit for purpose 26 Clients Products / Services Factories HQ Distribution Sales Office Partners Clients Suppliers Suppliers Support functions Infrastructure Organisation
83. Maturing BCM – moving goalposts? Optimised Integrated Characteristics BCM integrated within overall risk management approach, and is embedded within the corporate governance processes. Established Characteristics Analysis has been done across the organisational silos taking into account supply and value chain dependencies and risks. Formalised Characteristics Business Continuity is integrated with incident and crisis management and emergency response. The BCMS in embedded in the organisation with regular exercising. Undeveloped Characteristics BCM policy is set, and business continuity plans developed for key sites and facilities. Characteristics Piecemeal and ad hoc plans, usually driven by a need to comply with legislation or regulation. Ability to respond Response capabilities are optimised at a site level and their ability to recover operations is reasonably certain and efficient. Ability to respond Key business priorities understood, and organisation can implement a strategic response across sites and supply chain to disruptions. Ability to respond Minimum legal / regulatory requirements are met but the ability to respond is patchy and uncertain. Ability to respond Key sites and facilities can respond to major incidents and they should be able to reduce the disruption to their operations. Ability to respond Investment in BCM and Risk is optimised, and the organisation has sustained capability to respond to major threats. 28
84. Business Continuity Management vs. Risk Management Likelihood Dependencies Risk Management BC Management Impacts Threats Filter Filter Controls Priorities Impact Threats Plans Controls Controls Investment Plans Plans Protection against threat Recovery of business May miss high impact low probability events May miss specific risk responses 29
85. Response GovernanceTeam Structure and accountabilities Planning and Building Assurance Crisis Management Team RMC / Steering Group Audit & Risk Committee Business Recovery Teams Risk Management Internal Audit Incident Management Teams BU Heads and Champions BU Heads 30
86. Planning Response Assurance Crisis Management Team Focused on future reputation, stakeholder value and decision making Business Recovery Teams Focused on recovering the most important business activities, and the eventual restoration of business as usual. Responsible for incidents that impact a site / location. Focused on immediate staff safety, incident management, recovery and salvage, local business protection, local communication, and local decision making Incident Management Teams GovernanceCrisis management and business continuity teams 31
87. GovernanceAccountability for Planning Planning Response Assurance Risk Management Committee Internal Audit Group Functional Heads Risk Management BU Head MD and Champion BU Head MD and Champion BU Head MD and Champion BU Head MD and Champion 32
88. GovernanceAssurance Planning Response Assurance Audit & Risk Committee ARC provides oversighton behalf of Board Internal Audit IA responsible for: assurance on behalf of ARC BU Leaders Functional Heads BU Heads responsible for assurance that adequate BCM is in place for business unit Functional Heads responsible for assurance that adequate BCM is in place for their function across BUs 33
90. ApproachExercise format The diagram shows the wide range of exercise formats available; increasing in challenge and complexity from left to right. There are two formats of particular note; Facilitated Discussion; this form of exercise is highly controlled and focuses upon talking rather than doing the response. It is excellent for engaging a team for the very first time or walking-through an entirely new plan. However, it provides little challenge for a highly skilled or high-level team. Single-Team Simulation; in contrast this is a ‘doing’ exercise where the team need to take and make calls, discuss and make decisions rapidly and it provides a level of challenge appropriate to a senior management team. However, it requires a greater level of development and engagement to be successful and thus lead to further plan and team improvement. Time and realism Real-time Real-time Planwalkthrough Facilitated discussion Single-team simulation Multi-team simulation Full-scalelive event Acceleratedphases Acceleratedphases Resources Capability Confidence Compliance 35
94. An Approach – plans Response team and plan structure 06
95. The structure of the response to disruption People IT recovery Trigger Assets and Workplace Third Parties Time 40
96.
97. Business recovery is not just about IT and workplace recovery. There are also dependencies on staff, suppliers, partners, equipment, vital documents, etc to consider, and plans to address these are needed.People DRP Trigger Workplace recovery Third Parties Time 41
109. Restoration of infrastructure and functionsSupply resilience IT Recovery (DRP) Workplace and critical equipment recovery Staffing resilience 42
110.
111. The teams and plans need to be co-ordinated and integrated, with clear invocation and escalation procedures.Crisis Management Team Protection of reputationandbusiness Decision making and direction Business Recovery Team Incident Response Team Communication – external to stakeholders and media Recovery of key productsand services Safety and protection of people and property Communication– internal to staff Work-aroundsand recovery for key dependencies Assess, stabilize, secure, and escalate to senior management Coordination of resources Restoration of infrastructure and functions Coordinate external response (police, fire, ambulance) 43