business continuity management - · pdf filebusiness continuity management (bcm) ......
TRANSCRIPT
Financial Services
BUSINESS CONTINUITY MANAGEMENTFROM TACTICAL AND LOCAL PLANNING TO GLOBAL RESILIENCE AND ASSURANCE
AUTHORS
Alon Cliff-Tavor, Principal, Digital, Technology & Analytics
Wei Ying Cheah, Principal, Finance and Risk
ASIA PACIFIC RISK CENTER: FINANCE AND RISK SERIES
“The only thing harder than planning for an emergency is explaining why you didn’t” UNKNOWN
INTRODUCTION
Business Continuity Management (BCM) is a holistic process that enables institutions to
prepare for, and respond to, potential crisis situations that lead to disruptions in normal
operations. The main objectives of BCM are first, to develop Business Continuity Plans
(BCPs) to ensure continuation of critical functions in the event of a crisis; second, to
implement and practise these plans so they can be executed effectively, if and when a crisis
actually occurs; and third, to improve efficiency and effectiveness of these plans over time,
continually adapting to changing risks.
TRADITIONAL PERSPECTIVES
Many organizations that have developed BCPs have historically viewed this exercise in
silos. Typically, traditional BCPs cover an institution’s crisis response across the following
independent elements:
• Location: The risk of a specific location or facility becoming unusable due to weather, natural disaster, terror attack, power failure, etc.
• People: The risk that human resources are unable to fulfil their functions for any reason, including pandemic outbreak
• Technology (IT): The risk that a specific data center or another critical infrastructure component goes offline
• Liquidity: The risk of a liquidity shortage due to a variety of crisis scenarios
Exhibit 1: BCM Framework
NORMAL-TIME BCM RISK IDENTIFICATION AND MITIGATION
TRAINING AND TESTING
CRISIS MANAGEMENT PROCESS
KEY ENABLERS BCM PLANS
KEY ENABLERS
Scope andmandate
Governanceand
organization
Reporting
Crisis mgmt.organizational
structure
Crisis decisionmaking
Crisis assessment
Crisis monitoring
Incident monitoring and
escalation
Post crisis learning
Back-to-normaldecision making
Emergency response plan
Crisis management plan
Business continuity plan
IT contingency plan
Plandevelopment
Recoverystrategy
Business impactanalysis (BIA)
Risk identificationand assessment
Testing andexercising
Training andawareness
NORMAL TIME
CRISISTIME
Copyright © 2017 Oliver Wyman 3
Often, there seem to be very few coordination areas among these elements or between the
functions entrusted with them. Corporate real estate takes care of buildings, IT is responsible
for technology resilience, liquidity committees are dealing with their domain, and business
or governance management is dealing with other resources (or is supposed to be).
Over the last few years, we have witnessed several instances in which financial institutions
were subject to substantial business disruptions, for which they had, at best, only partial
solutions. Traditional BCM approaches have proven inadequate in times of genuine need.
However, we have learned important lessons from recent crisis events and from the
responses of our clients and other industry players.
SHORTCOMINGS IN TRADITIONAL BCM METHODS
1. BCM REQUIRES REASSESSMENT IN LIGHT OF MORE FREQUENT AND SEVERE CRISES
With climate change-related increases in frequency and severity of extreme weather events
caused by storms1, for example, we believe that institutions should dedicate time and
resources to re-evaluate their approaches to BCM. Recent crises have demonstrated that
traditional recovery strategies and alternate site locations are not fit for the severity of natural
disasters that have been encountered.
For instance, a North American regional bank struggled with its response to super-storm
Hurricane Sandy. Both Disaster Recovery (DR) sites for the bank were connected to the same
electricity grid, which was completely wiped out by the storm. As a result, despite being
geographically distant from one another, both DR sites went offline and were unusable.
This example emphasizes the importance of selecting DR sites that are both geographically
distant from one another and reliant on separate utilities and infrastructures.
This trend also raises concerns with regard to regulatory constraints in extreme crisis
events. For example, in Japan’s Triple Disaster in 2011, another bank’s entire operations
in the country went offline. Under such circumstances, the only continuity plan would be
to promptly assign critical functions and capabilities offshore. However, in this instance,
local regulations prohibited the offshoring of certain key critical functions, leaving the
institution unable to continue operations. This example highlights the importance of taking
regulatory constraints into account when developing BCPs. Furthermore, industry bodies
and individual institutions should lobby regulators to promote awareness of such matters,
and to persuade them to contemplate extreme circumstances in the development of any
legislation, well before crisis situations.
1 Global warming: The evolving risk landscape. Sep 2013.
Copyright © 2017 Oliver Wyman 4
2. BCM OFTEN IGNORES THE INTERCONNECTEDNESS OF GLOBAL BUSINESSES
Too often, we see business continuity planning being performed by local management at
the country, city or even facility level. This poses significant risks, as these localized BCPs
often ignore the regional or global significance of the location or facility for one or more
business lines.
For example, we have seen a large global institution fail to recognize the global
interconnectivity of its Germany-based facility, which played a critical and unique role in
Euro clearing and in trading specific asset types. This facility in Germany was responsible for
these functions globally, a fact that was not properly considered in the institution’s locally-
devised BCPs. It was only when the facility faced the grave risk of becoming unavailable for
a substantial period of time that the relevant business heads realized the mistake. The BCP
supported only local requirements. As a result, it was a woefully inadequate solution given
the global network’s degree of reliance on that particular facility.
Many institutions would benefit greatly from a shift in perspective, moving away from
preparing disaster recovery BCPs based on local priorities, to instead focusing on end-to-
end global resilience. These robust, global BCPs should be fully owned by global business
process owners at the appropriate level.
3. SCOPE OF BUSINESS CONTINUITY PLANNING SHOULD BE EXPANDED
We have identified three additional scenarios that should be included in a robust BCP with
enhanced scope, but all-too-often are not, in practice:
a. Loss of license: This scenario involves the risk of losing a key license, or having it restricted in certain respects due to regulatory and/or political threats. The most recent and well-known situation was an order from the New York Department of Financial Services to an emerging market bank in August 2012. With regulatory expectations at an all-time high, and regulators and governments pursuing strict measures to ensure compliance and punish any transgressions, we might see similar situations continue to evolve. It should be noted that merely the threat of losing a license could sometimes have severe consequences, as clients might rush to draw deposits, potentially creating a liquidity shortage.
b. Clients’ perspectives: A robust BCP should consider clients’ business continuity requirements and the institution’s ability, readiness and willingness to support clients in such situations. For example, institutions should consider how they might support a client that is experiencing prolonged power failures or an inability to access facilities, when the institution itself remains open for business. Furthermore, institutions should consider communication strategies for customers during catastrophic events. This customer focus can be a key differentiator against competitors during times of crisis.
Copyright © 2017 Oliver Wyman 5
c. Social and political unrest: While not completely new on the catalogue of possible scenarios, the probability of such scenarios is certainly rising in many parts of the world, as highlighted in the 2017 Global Risks Report by the World Economic Forum, supported by Oliver Wyman and MMC.2 Ensuring that scenarios relating to political upheaval, mass protests and strikes, and acts of terrorism, among others, are accounted for, is crucial in our view for a functioning BCM.
QUESTIONS TO CONSIDER
To address these shortcomings, there are a number of key areas within the BCM framework
and a list of questions that institutions should address:
FRAMEWORK COMPONENT KEY QUESTIONS TO CONSIDER SHORTCOMING MITIGATED
BCM governance Who owns business continuity and management? Are they the right people/function to take a holistic view of all evolving business needs (including potential disruptions due to regulation/liquidity events)?
How often do you conduct a thorough review of your BCP policies, procedures, guidelines and plans to ensure they continue to fit your business needs and realities?
Expansion in BCM scope
Reassessment of whether BCM is fit-for-purpose
BCM scope and mandate Do your BCM policy, procedures and guidelines:
• Take a business-focused view and are able to handle the consequences of an increasingly global business/ product eco-system in an increasingly regulated environment?
• Consider potentially providing support to clients in business continuity events?
Expansion in BCM scope + interconnectedness of global business
BCM risk identification and mitigation
As part of your normal-time BCM risk identification process, do you:
• Consider sufficiently severe scenarios?
• Account for new/emerging business continuity risks?
• Employ an eco-system lens (end-to-end process and data flow view) when examining the resilience of our infrastructure, so as to identify people, location, regulatory, technology, telecom and other dependencies and soft-spots, in order to formulate business and function resilience plans?
New/emerging or unusually severe crisis
BCM plans As part of your BCM plans, do you:
• Ensure your BCPs are able to cater for a wide range of scenarios including a large-scale/ unusually severe disturbance?
• Ensure your alternate sites do not suffer from the same weaknesses experienced by several institutions in recent years?
• Consider potential plans for a move to out-of-country, regional or global disaster recovery site approach?
When planning for continuity events and threats, are you taking a specific location and asset view or a truly broad, global, business-centric view?
New/emerging or unusually severe crisis
Interconnectedness of global busines
Training and testing Do those responsible for BCPs have the right knowledge, skills and access to assess and plan continuity from a holistic and strategic business perspective?
Do you conduct regular and robust training, including BCM simulations
Expansion in BCM scope + interconnectedness of global business
2 Marsh & McLennan Companies. Global Risks Report. Jan 2017
Copyright © 2017 Oliver Wyman 6
CONCLUSION
While the nature and timing of continuity events are never predictable, their
consequences – unavailability of systems, facilities, and people – and the impact of these
consequences on institutional processes, can generally be anticipated. Institutions should
focus on building robust, globally-focused plans to mitigate common crisis repercussions.
BCM training and testing of BCPs, coupled with proper governance, are critical to effective
crisis management.
Exhibit 2: Illustration of effective BCM in action
TIME
OPERATIONAL STATUS
No BCM
Effective BCM
100%
SHORTER RECOVER TIME
INCIDENT
MORE RESILIENTTO DISRUPTION
Copyright © 2017 Oliver Wyman 7
Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organization transformation.
For more information please contact the marketing department by email at [email protected] or by phone at one of the following locations:
ASIA PACIFIC
+65 6510 9700
AMERICAS
+1 212 541 8100
EMEA
+44 20 7333 8333
ABOUT
Marsh & McLennan Companies’ Asia Pacific Risk Center draws on the expertise of Marsh, Mercer, Guy Carpenter, and Oliver Wyman, along with top-tier research partners, to address the major threats facing industries, governments, and societies in the Asia Pacific region. We highlight critical risk issues, bring together leaders from different sectors to stimulate new thinking, and deliver actionable insights that help businesses and governments respond more nimbly to the challenges and opportunities of our time. Our regionally focused digital news hub, BRINK Asia, provides top executives and policy leaders up-to-the-minute insights, analysis, and informed perspectives on developing risk issues relevant to the Asian market.
For more information, please email the team at [email protected].
Copyright © 2017 Oliver Wyman
All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect.
The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman.
www.oliverwyman.com