Zero Disruptions WorkshopStrategies and Solutions for Maintaining
Business Continuity
Calvin (Cal) Beyer5th Annual PDCApril 18, 2013
Your Presenter: Cal Beyer
• 25 years of insurance industry experience• Multi-industry risk management thought leader• Former National Officer of Construction Financial Management Association• Author/co-author of articles on emergency management, critical incident
response, reputation risk and business continuity • Co-author of CFMA Business Continuity “Lessons Learned” resource• Co-developer of CFMA Emergency Management continuing education course
– Co-presented CFMA’s EMP course annually since 2007 at Annual Conference
– 30 presentations (2006-2010) for 2,400+ financial and operational professionals
• Keynote speaker at Rockwell Automation’s 2012 Safety Automation Forum• Co-presenting at 2013 ASSE Professional development Conference in Las Vegas
Risk Leadership
Source: Artwork by Jen Olney(@GingerConsult & #Bealeader)
Insurance and Risk Management Strategies & Resources
Emergency Management & Business Continuity Fundamentals
Disruptions and Vulnerabilities
Strategic Risk Management & Resiliency
Discussion Topics
Icebreaker
• How many different industries and segment are represented in today’s session? Examples: – Manufacturing (automobile, food, machinery, pharma, etc.)– Construction (Heavy/Highway, GC/CM, specialty trade)
• What are the functional responsibilities of today’s attendees?
• How effective is your company’s Emergency Plan?– Formal (written procedures)?– Current (last revised?)– Basic or Comprehensive?– On the shelf or tested in practice?
Disaster Response to Zero Disruptions
4 distinct phases of training sessions: 1. Disaster response
2. Emergency planning and preparedness
3. Crisis management and reputation risk
4. Zero Disruptions
Leadership Lessons from Nashville FloodColin Reed; Chairman & CEO, Ryman Hospitality Properties
(Formerly Gaylord Entertainment)
• The time for creating an emergency plan is not during the emergency– Prepare an emergency manual that outlines the potential
"events" and "responses."
• Build the "right" culture of leaders, management and employees
• Communication has to be direct and honest during an emergency
• “We are a better company because of what we went through."
Source: DeVries, M.J. (2010 August 16). Best Practices Construction Law. http://www.bestpracticesconstructionlaw.com/2010/08/articles/leadership/colin-reed-leadership-lessons-from-nashvilles-flood-recovery/
8
It Could Happen Tomorrow: Reality TV?
• The Weather Channel (www.weather.com)
• “… unbelievable yet possible acts of nature which could spell disaster for cities across America”
• Hurricane Katrina “predicted” before it hit New Orleans– Pilot episode completed in April 2005 on hypothetical category 5
hurricane striking New Orleans… but did not air until June 2006– Substituted with hurricane striking NYC thereby “predicting”
2012 Super Storm Sandy
Key Risk Management Principles
• Risk management processes– Decision making – Business improvement
• Tangible and intangible assets are “at risk”• “Frequency breeds severity” • “Prevention is better than mitigation”
– Mitigation is better than litigation• Indirect (uninsured) costs are a multiplier on direct
(insured) costs
Productivity
Quality
Risk
Safety
Integrated Risk Management Model: PQRSLevers for Profitability
Source: Copyright 2010. Construction Financial Management Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning continuing Association. Emergency Management Planning continuing education course. All rights reserved. Used with permission. education course. All rights reserved. Used with permission.
11
7 Types of Business Risk
Risk Management: Simple Definition
“The preservation of an organization’s
human and financial resources”.
Preservation = Conservative Approach
Strategic Risk Management: Definition
“The preservation and leveraging of an
organization’s human, financial and strategic assets.”
Leveraging to Seize Strategic Opportunities Based on Risk to Reward Ratio
Zero Disruptions: Integrated Framework
Crisis Communication
Enterprise Risk Planning
Business Continuity
Emergency Management Planning
& Disruption Prevention
Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning continuing education course. All rights reserved. Used with permission
Crisis CommunicationsCrisis CommunicationsSupply Chain ResilienceSupply Chain Resilience
Business ContinuityBusiness ContinuityEmergency PlanningEmergency Planning
Zero Zero DisruptionsDisruptions
Zero Disruptions: Interrelated Disciplines
Exercise #1: Real Disruption Events
Individually brainstorm the following question:
What types of events can disrupt
ordinary business operations?
Examples of Business Disruptions
EarthquakeEarthquake Fatality accidentFatality accident Loss of key personnelLoss of key personnel
FireFire Power outagePower outage Labor strikeLabor strike
FloodFlood IT system crashIT system crash VandalismVandalism
Tornado/HurricaneTornado/Hurricane Workplace violenceWorkplace violenceDemonstrations Demonstrations
or riotsor riots
Blizzard/Ice stormBlizzard/Ice storm Equipment theftEquipment theft Chemical/HazMat spill Chemical/HazMat spill
Dam/Levee breakDam/Levee break Hacker/virusHacker/virus Supplier insolvencySupplier insolvency
Structure collapseStructure collapseBreach of privacy dataBreach of privacy data TerrorismTerrorism
Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning continuing education course. All rights reserved. Used with permission
Real Examples of Business Disruptions
• 45 attendees at 2011 CFMA Conference generated 36 real life disruptions that interrupted corporate operations or project activities
• 6 general grouping of disruptions: 1. Natural Disaster or Fortuitous Risk2. Utility Outage3. IT/Computer Problem4. Supply Chain Interruption5. Operational Risk6. Financial Problem
Natural Catastrophes vs. Man-Made (Technological) Disasters
Natural CatastrophesFloods, storms, hurricanes, tornadoes
Earthquakes and landslidesDrought, fire, heat
Ice storms
Man-made DisastersMajor fires or explosions
Utility emergencies IT & telecom failures & Cyber-security breaches
Aviation, shipping and rail disastersCollapse of dams, buildings, bridges
Pollution and hazardous materials spills Crime, war and terrorism
Pandemic flu
Tendency to Over-Emphasize Nat Cats; Increased Vulnerability to Man-Made Disasters
Characteristics of Disruptions
Type: Natural events vs. man-made (technological)
Probability: Likely vs. unlikelyForeseeability: Expected vs. unexpected
Frequency: Recurring vs. random
Scope: Emergency vs. disaster
Scale: Isolated vs. widespread
Severity: Minor vs. major
Exercise #2: Adverse Consequences
Individually brainstorm the following question and be
prepared to share examples with the group:
What are the possible types of adverse
consequences or outcomes of not having an
effective emergency management plan?
Adverse Consequences of Disruptions
• Breach of contract• Loss of reputation and
goodwill• Relocation of business • Absenteeism and attrition• Labor shortage
• Personal injuries • Fatalities• Service interruption• Broken supply chain• Cash flow crisis• Financial default• Bankruptcy
Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning continuing education course. All rights reserved. Used with permission
Reality Check: Austere Consequences
• What is the cost of “down day”?– “Down week”– “Down month”
• Temporarily relocated business?
• Permanently shuttered business?
Typical Recovery Time Objective: Resumption of Normal Business Activities Within 24 Hours
Exercise #3: Benefits & Positive Outcomes
Individually brainstorm the following question and be
prepared to share examples with the group:
What are the possible benefits and positive
outcomes of having an effective
emergency management plan?
Benefits of Emergency Management Plans
Reduce business disruption
Protect human, physical and financial assets
Maintain sustainable cash flow
Preserve customer base
Continue supply of services/products
Maintain reputation and public confidence
Preserve investor / creditor confidence
Mitigate legal liability
Maximize insurance recovery and reduce insurance costs, etc.
Elements of Emergency Plans
Purpose and policy statement
Authority and responsibilities
Types of emergencies Vulnerability assessment Emergency operations
center and procedures
Business continuity protocols
Crisis management and communication protocols
Site maps Evacuation procedures Resource lists
Internal External
Vulnerability Assessment
• Need for vulnerability assessment to determine priorities for planning
• Over-emphasis on natural disasters
• Under-emphasis on man-made or technological threats– I.T./business continuity and utility outages – Supply chain: Contingent risks and interdependencies
Example Risk Matrix
Source: www.fdicoig.gov (2005).
• Probability vs. Severity (Likelihood vs. Impact)
Strategic “Blind Spot”
Incomplete Information
Undetected Early Warning
Signals
Strategic “Blind Spot”
Lack of Prior
Experience
Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning continuing education course. All rights reserved. Used with permission
Exercise #4: Your Company’s Vulnerabilities
Individually brainstorm the following question and be prepared to share examples with the group:
1.What are the top 3-5 vulnerabilities your company faces?
2.Rank them on probability (high-medium-low) and on impact (catastrophic-critical-marginal).
3.How well prepared is your company today to addressing these top areas of vulnerability to disruption?
Crisis Risk Management and Corporate Reputation
CorporateReputation
(CR)
Crisis RiskManagement
(CRM)
OrganizationalCrises
Sustained CR = Sustained Competitive Advantage
Corporate Reputation (CR)Confidence
EsteemRespect
Trust
EmergencyManagement &
Business ContinuityPlan
Disaster ResponsePlan & Crisis
CommunicationProtocols
Crisis Risk Management (CRM) Practices
Enterprise Risk Planning Post-Crisis Recovery
Vulnerability Assessment Time of Crisis Response
Risk Analysis Pre-Crisis Planning
Exposure Identification Awareness/Readiness
Leadership &Management
Internal Problem
Policy/EthicsOperational
Micro-economic
Marketing & PublicRelations
External Event
Image/MediaEnvironmental
Macro-economic
Exposures + Perils =Risk
Beyer, C.E. (Jan-Feb 2010). The impact of crisis risk management on corporate reputation. Building Profits. Construction Financial Management Association.
Crisis Risk Management & Corporate Reputation
Risk and Reputation
• Becoming or remaining an employer of choice – Experiencing less voluntary employee attrition
• Retaining existing customers & attracting new customers• Expanding market share • Enhancing the ability to forge strategic partnerships and alliances• Differentiating from competitors
– Charging premium prices or gaining market share
Key Challenge: Creating a Sustainable Competitive Advantage
Strategic Risk Management
1. Strategic risks emanate from tangible and intangible assets– Brand, market position and competitive advantage
2. Shift from reactive disruption recovery to proactive disruption prevention
Examples of Strategic RisksCompany image and corporate reputationKey relationships, including partnerships and strategic alliancesAvailability of capital and creditPatents and other Intellectual PropertyAdoption of technology and other innovationsEmerging substitute products and services
Economies of scope and scaleChanging political and regulatory climateMergers and acquisitions and new competitors/suppliersContraction, divestiture or bankruptcy of existing competitors or suppliersShifting customer preferences
Opportunity to Leverage Safety as C-Suite Concern
Key Learning: Attitude of Invincibility
• Attitude of invincibility prevails– Less than 20% of workshop attendees acknowledge having
a written or formal program
• Invincibility stems from:Comfort Zone = ComplacencyPriority of today’s business demandsRandomness and bad luck of eventsOverwhelming processIt can’t be that badLighting doesn’t strike twice
Emergency Management Process
Pre-Crisis Activities Post-Crisis Activities
PLANNING PREPAREDNESS PREVENTION RESPONSE REMEDIATION RECOVERY
Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning continuing education course. All rights reserved. Used with permission
Emergency Management Planning Fundamentals
1. Does your company have a formal, written emergency plan?
2. Has this plan been disseminated and posted throughout the company?
3. Have all employees been trained on the plan?
4. When was the last formal update completed for your plan?
5. Has your company conducted tests or drills on this plan?
Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning continuing education course. All rights reserved. Used with permission
Needs Assessment -- Does Your Plan Include:
1. Vulnerability assessment?2. Probability Analysis?3. Business continuity plan for
data recovery?4. Emergency operations
procedures?5. “Go boxes/kits” of key
records/data?6. Evacuation procedures and
drills?7. Centralized meeting place(s)?
8. Critical Incident Response protocol
9. Internal resource lists (e.g., telephone trees)?
10. External resource contact lists?11. Crisis media management plan
with designated spokesperson? 12. Communication systems
protocols for customers, suppliers, employees, business partners and stakeholders?
Insurance & Risk Management Review
1. Solicit professional assessment of your company’s insurance and contractual risk– Determine what is insured and what is not insured– Ensure submission has current valuation for buildings and equipment– Understand contractual obligations– Evaluate adequacy of coverages and policy limits– Understand basis of recovery: Replacement Cost vs. Actual Cash
Value– Run various scenarios for potential impacts on business income and
extra expense• Evaluate need for Business Interruption (BI), Contingent BI and
extra expense -- and understand waiting period(s)
Insurance/Risk Mgt Review (con’t.)
2. Undertake comprehensive risk assessment evaluation– Assess vulnerabilities and interdependences– Institute corrective actions and plan future improvements
3. Evaluate need for tighter contractual controls– Add insurance requirements and indemnification language– Legal and risk management review of “critical clauses”– Add subcontractors’ emergency preparedness to pre-qual criteria– Ensure contractual risk transfer execution and documentation
exists at project level• Do not allow work to start without executed contracts
Business Continuity Planning
• Design• Security (controls and enforcement)• Redundancy• Backup (offsite storage, archiving, and retrieval)• Backup of operating system, too! • Testing• Auditing
“Achilles Heel”: IT & Cyber-Risk
• “Known-unknowns” or “unknown-unknowns” vulnerability• Privacy data breach: financial and reputation risk • Malware, hacking, viruses• Theft of laptops, hand-held devices & retrievable storage
devices
Risk Horizon Scan: Top 5 Threats (2012)
• As ranked by extremely concerned and concerned respondents
1. Unplanned IT and telecom outages (74%)2. Data breach -- loss or theft of confidential information (68%)3. Cyber attack -- malware, denial of service(65%)4. Adverse weather -- windstorm/tornado, flooding, snow, drought
(59%)5. Interruption to utility supply -- water, gas, electricity, waste
disposal (56%)
Source: Horizon Scan 2012 Survey, Business Continuity Institute42
Business Continuity Institute
• 4th Annual Supply Chain Resilience Survey– Download available with registration @ www.TheBCI.org
• 530 respondents in 65 countries• “origins, causes and consequences of supply chain disruptions…” • Increasing frequency, severity, disruption, consequences and costs• 73% of respondents had at least 1 disruption (ave = 5)• 39% below Tier 1• Top 3:
– IT/telecom (52%– Weather/Nat Cat (48%)– Sourcing provider failure (35%)
Leading Sources/Causes of Data Breaches
• 95% of breaches stem from 3 sources:1. Loss or theft – 44%2. Hacker – 32% (75% of exposed records)
3. Rogue employee – 19%
Source: “Cyber liability and data breach insurance claims”; NetDiligence, June 2011
44
Costs of Data Breaches (Direct and Indirect)
• Required notification/communication• Hosting call center for customer inquiries and support• Credit monitoring services• Crisis management services (legal and public relations)• Forensic investigation• Business interruption (loss of income, cost to recreate lost data, extra
expenses)• Regulatory fines• Restitution• Legal liability • Reputation
45
• $60 billion global cyber security spending1
• 10% growth over the next 3-5 years1
• $10.2 billion in cyber security deals for first half of 20111
• $75.63 billion spent by US companies on IT security2
1. The 2012 Global State of Information Security Survey®, a worldwide survey by CIO Magazine, CSO Magazine and PwC.” .
2. Ponemon Institute, http://www.thefiscaltimes.com/Articles/2011/09/
Statistics on Cyber Security
46
IT and Business Continuity Risk Management
• Train employees on safeguarding data, hardware and portable device security
• Audit clean desk policy and data security protocols• Review vendor contracts to understand mutual contractual
obligations for confidentiality/non-disclosure and risk transfer• Request business continuity plan from critical business
partners • Deploy data encryption • Develop incident response planning • Configure networks using multiple firewalls• Update anti-virus software regularly
47
IT and Business Continuity (con't.)
• Employ anti-virus software on all hardware and portable devices
• Scans incoming email attachments for virus• Back-up network data and configuration files daily• Test business continuity disaster plan, including data recovery
protocols using archives from offsite data centers• Install and test upgrades and security patches within 24 hours
of notification• Conduct scenario exercises and simulation exercises to
understand exposures and to identify vulnerabilities
48
Immediate Next Steps
1. Undertake insurance and risk management review2. Institute a planning team
– Make it a team sport and a contact sport– Interdisciplinary approach
3. Identify vulnerabilities– Assess potential for disruption– Determine expected frequency– Quantify the likely and worst-case scenario
4. Inventory existing internal resources5. Determine available external resources6. Develop, disseminate and drill on new plan
Individual Exercise: Action Steps
• Identify 3 critical gaps in business resiliency or continuity Identify 3 critical gaps in business resiliency or continuity planning for your company.planning for your company.
• Based on the information you have learned today, identify 3-5 Based on the information you have learned today, identify 3-5 specific tactics/strategies you will take at your company in key specific tactics/strategies you will take at your company in key areas:areas:• Emergency planning/preparednessEmergency planning/preparedness• Business continuity/resiliencyBusiness continuity/resiliency• Crisis management & communicationCrisis management & communication
Appendix: Additional Resources
• Know Your Stuff® – Home Inventory
• Insurance Information Institute's free online home inventory software (http://www.iii.org/)
CFMA Louisiana Joint Chapter CFMA Louisiana Joint Chapter Conference in New Orleans Conference in New Orleans (March 2006)(March 2006)
Copy available upon request Copy available upon request
Business Continuity Planning Checklist
5353
Emergency Management Guide for Business and Industry http://www.fema.gov/library/viewRecord.do?fromSearch=fromsearch&id=1689
Sample Emergency Plan Resourceswww.ready.gov/business/
Protect Your Workplace: Cyber-Securityhttp://www.us-cert.gov/reading_room/
Business Continuity and Emergency Planhttp://www.ready.gov/business/_downloads/sampleplan.pdf
Downloadable Government Resources
Crisis Care Networkwww.crisiscare.com
Critical incident response
The Lukaszewski Group, Inc. Division of Risdall Public Relations http://www.e911.com/Crisis communications
Critical Incident Response & Crisis Management
Bernstein Crisis Management, Inc.www.bernsteincrisismanagement.com/
Guide to Business Continuity Management, 2nd editionhttp://www.protiviti.com/en-US/Pages/Guide-to-BCM-2nd-Edition.aspx
Additional Resources
56
www.supplychainriskinsights.com
•Zurich North America’s co-branded microsite with Wall Street Journal•Repository for thought leadership on supply chain risk management topics
Supply Chain Risk Management Resource
Copyright © 2010 CFMACopyright © 2010 CFMAAll rights reserved. All rights reserved.
www.osha.gov/SLTC/etools/hurricane/index.html
OSHA’s e-Hurricane Matrix
The Financial Management of Cyber Risk: An Implementation Framework for CFOs
http://webstore.ansi.org
Cyber Risk Resource
Cal BeyerMurray Securus
39 N. Duke StreetLancaster, PA 17608
Phone: 717.397.9600www.murrayins.com
www.linkedin.com/in/calvinbeyer/
@riskleadership & @ContractorRisk
Contact Information