jeremy smith

17
©2005 Deloitte & Touche Business Continuity Management. Jeremy Smith, Practice Leader Enterprise Risk Services Caribbean Association of Indigenous Banks November 2005

Upload: nostrad

Post on 16-May-2015

642 views

Category:

Documents


7 download

TRANSCRIPT

Page 1: Jeremy Smith

©2005 Deloitte & Touche

Business Continuity Management.

Jeremy Smith, Practice LeaderEnterprise Risk Services

Caribbean Association of Indigenous Banks

November 2005

Page 2: Jeremy Smith

©2005 Deloitte & Touche

• Introduction to Business Continuity Management

• Lessoned Learned from Hurricane Ivan

• Summary

Agenda

Page 3: Jeremy Smith

©2005 Deloitte & Touche

Introduction to Business Continuity Management

Page 4: Jeremy Smith

©2005 Deloitte & Touche

Benefits of Business Continuity Management and Crisis Management Development period for a new problem.

Improvement in the curve due to early warning of problems

Number of I ncidents

Problem Understood

First Failure

Time

Key

Reactive feedback

Proactive Risk and Crisis Management

Losses

Allen, D.E. (1992)

Number of I ncidents

Problem Understood

First Failure

Time

Key

Reactive feedback

Proactive Risk and Crisis Management

Losses

Allen, D.E. (1992)

Page 5: Jeremy Smith

©2005 Deloitte & Touche

Legislation and regulations are focusing on protection of the entire financial market, escalating BCM as a key regulatory requirement.

BCM Regulatory Summary

Business Continuity Management Drivers• NASD Rules 3510, 3520 and NYSE 446• OCC and SEC White Paper• ICSA• CFTC Compliance Rule 2-38• SEC Policy Statement• FSA Paper 142 Consultation Paper

Risk Management Drivers• GLBA HIPAA, PIPEDA• Sarbanes-Oxley• Basel II

Page 6: Jeremy Smith

©2005 Deloitte & Touche

Backups

Disaster Recovery

Plan

Business Continuity

Management

Predictive Modeling

Resilience

Continuous Availability

Business Continuity

Plan

Bu

sin

ess V

alu

e

Vision

Business Continuity Planning

Business Continuity Management

Disaster Recovery

Backups

Disaster Recovery

Plan

Business Continuity

Management

Predictive Modeling

Resilience

Continuous Availability

Business Continuity

Plan

Bu

sin

ess V

alu

eB

usin

ess V

alu

e

VisionVision

Business Continuity Planning

Business Continuity Management

Disaster Recovery

Continuity has moved from Operational to Management Imperatives

Page 7: Jeremy Smith

©2005 Deloitte & Touche

A Framework for Business ContinuityThis approach assumes the development of a long range capability; more than just a plan.

DevelopDevelop ImplementImplement

Procedures

Resource Acquisition &

Implementation

Maintenance

Process ImprovementProcess Improvement

AnalyzeAnalyze

Current StateAssessment

Risk Assessment

Business Impact

Analysis

Governance

Training &Testing

Availability/Recoverability

Strategies

Page 8: Jeremy Smith

©2005 Deloitte & Touche

Lessons learned from Hurricane Ivan

Page 9: Jeremy Smith

©2005 Deloitte & Touche

Anatomy of a Storm

Naval Research Lab

Page 10: Jeremy Smith

©2005 Deloitte & Touche

Anatomy of a Storm (continued)

UN Economic Commission for Latin America and the Caribbean (ECLAC)

•Total damage US$3.5 billion 2 yrs Cayman GDP•Estimate US$95,625 per person

By Sector •53% Social US$1.88 billion•33% Production US$1.2 billion•14% Infrastructure US$420 million

Page 11: Jeremy Smith

©2005 Deloitte & Touche

Tips from Lessons Learned

Geographical Disbursement

Geographical Disbursement

• Separate primary and backup sites

• Investigate working from alternative jurisdictions

• Pre-clear permits and operation license with regulators, legal counsel, and relevant authorities

Dual-sited Organisations

Dual-sited Organisations

• Engineer fail-over and Disaster Recovery capability

• Test backup sites regularly

Page 12: Jeremy Smith

©2005 Deloitte & Touche

Tips from Lessons Learned

TransportationTransportation

Communication Plan

Communication Plan

• Develop strategies in advance (e.g. plane charters, reserved flights and vehicle fuel storage)

• Setup remote working ability

• Automated notification systems - multiple devices (cell, email, land line)

• Setup backup cellular networks (e.g. blackberries, PDA)

• Predefined/agreed messages

Page 13: Jeremy Smith

©2005 Deloitte & Touche

Service Level Agreements

Service Level Agreements

Plan Maintenance and Testing Critical

Plan Maintenance and Testing Critical

• Agreements in place (transportation, DR, etc)

• Conduct vendor risk assessments• Test recovery capability of

vendors

Tips from Lessons Learned

• Scenario driven crisis management and business recovery plans (evolve during major reorganisations/systems conversions)

Page 14: Jeremy Smith

©2005 Deloitte & Touche

Chain of CommandChain of

Command

Human AspectsHuman Aspects

• Crisis leadership that can quickly mobilize invocation procedures

• Pre-agreed roles/responsibilities and levels of authority

• Encourage counseling services• Succession planning• Assist employees personal

recovery• Engage remote working or non-

critical employees• Prepare for compassionate

situations (family bereavement)

Tips from Lessons Learned

Page 15: Jeremy Smith

©2005 Deloitte & Touche

A member firm ofDeloitte Touche Tohmatsu

Summary

Page 16: Jeremy Smith

©2005 Deloitte & Touche

In Summary

Financial Institutional Objective:

• Decide risk position as it relates to increasingly strict BC regulation and lessons learnt

• Seek clear demonstration of response & recovery capability from your organisation

• Ensure all critical operational and physical components are integrated into your approach

Finally…Evaluate your BC programme in its entirety

Page 17: Jeremy Smith

©2005 Deloitte & Touche

Member ofDeloitte Touche Tohmatsu