the 13th annual continuity insights management conference... · 3/27/2015 3 1st step…pick the...

3/27/2015

1

The 13th Annual Continuity Insights

Management Conference

Presented by: Continuity Insights

April 20-22, 2015Talking Stick Resort ● Scottsdale, AZ

Next Generation Resilience

What Enterprise-Wide

Business Continuity Really Means

April 20, 2015

Communicating the value of BC to management and embedding it into the corporate culture

“In preparing for battle I have always found that plans are useless, but planning is indispensable.”

Dwight D. Eisenhower

Agenda

• Background

• Program Elements

• What Makes it “Enterprise-wide”

• Recommended Strategies

13th Annual Continuity Insights Management Conference: Next Generation Resilience

3

• Established in 1896, Preferred Mutual Insurance

Company is headquartered in New Berlin, New York

• Provides property and casualty insurance coverage to

individual and business customers through a network

of independent agents throughout the Northeast

• Rated "A" for excellent through A.M. Best

• Please visit us at www.preferredmutual.com

• Email questions to [email protected]


4

http://www.preferredmutual.com/

mailto:[email protected]

3/27/2015

2

Where To Begin???

Business

Catastrophe

Crisis

Disaster

Emergency

Incident

Risk

Technology (IT)

Contingency

Continuity

Disruption

Interruption

Recovery

Resilience

Management

Planning

Preparedness

Program

Readiness

What do we do?


5

Let’s See What the Industry Has To Say

Business Continuity:

• An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain

viable recovery strategies, recovery plans, and continuity of services. (NFPA 1600)

• The strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in

order to continue business operations at an acceptable predefined level. (DRJ)

Business Continuity Management:

• Holistic management process that identifies potential threats to an organization and the impacts to business operations

those threats, if realized, might cause, and which provides a framework for building organizational resilience with the

capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-

creating activities. (ISO 22301)

• The process that organizations use to ensure business continuity is maintained across their organization. (DRJ)

Business Continuity Program:

• Ongoing management and governance process supported by top management and appropriately resourced to implement

and maintain business continuity management. (ISO 22301)


6

More Industry Terminologies

Business Continuity Management Program:

• Ongoing management and governance process supported by top management and appropriately resourced to ensure that

the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and

ensure continuity of products and services through training, exercising, maintenance and review. (BCI)

Disaster Recovery

• The technical aspect of business continuity. The collection of resources and activities to re-establish information

technology services (including components such as infrastructure, telecommunications, systems, applications and data) at

an alternate site following a disruption of IT services. Disaster recovery includes subsequent resumption and restoration

of those operations at a more permanent site. (DRJ)

Disaster/Emergency Management:

• An ongoing process to prevent, mitigate, prepare for, respond to, maintain continuity during, and recover from an

incident that threatens life, property, operations, or the environment. (NFPA 1600)

• A program that implements the mission, vision, strategic goals, objectives and management framework of the program

and organization. (BCI)


7

Encompassing “the Enterprise”

Enterprise-wide:

• Encompassing an entire organization, rather than a single business department or function. (FFIEC IT Examination

Handbook, Business Continuity Planning, Appendix B: Glossary)

Enterprise Risk Management (ERM):

• ERM includes the methods and processes used by organizations to manage risks and seize opportunities related to the

achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying

particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in

terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying

and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders,

including owners, employees, customers, regulators, and society overall. (BCI and Wikipedia)

(Keep in mind, this has only been a sampling of terms…)


8

3/27/2015

3

1st Step… Pick the ‘Broadest Starting Point’

Business Continuity Management (BCM):

• Holistic management process that identifies potential threats to an organization and the impacts to business operations

those threats, if realized, might cause, and which provides a framework for building organizational resilience1 with the

capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating

activities. (ISO 22301)

1 Resilience:

• (1) the ability to become strong, healthy, or successful again after something bad happens

(2) the ability of something to return to its original shape after it has been pulled, stretched, pressed, bent, etc. (Merriam-Webster.com)

• The adaptive capacity of an organization in a complex and changing environment. (ASIS)

• Editor’s Note: (a) Resilience is the ability of an organization to resist being affected by an event or the ability to return to an acceptable

level of performance in an acceptable period of time after being affected by an event. (b) Resilience is the capability of a system to

maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must. (ASIS)


9

Going Forward: Use Known References and Leverage Industry Best-Practices

• DRI International (DRII) – Professional Practices

• Business Continuity Institute (BCI) – Good Practices Guidelines

• Regulatory Agency Frameworks, Directives and Documentation (ISO, NFPA, SEC, FFIEC, HIPAA, etc.)

• Industry Publications, White Papers and Recognized Conference Materials (e.g. Continuity Insights)

• Reputable and Trusted Experts, Consultants, Vendors and/or Business Partners


10

Enterprise-wide is Thought-Shifting


11

Your Organization

BCM (You)

BC Plan Ownership

Your Organization

BCM (You)

BC Plan Ownership

Facilitation/Expertise Facilitation/Expertise

From This… To This…

Requires Dept Heads becoming Plan Owners


12

IT Operations

Customer Service

Gov’t Affairs

Site Services

Corp Comm

Field Agency Marketing

Actuarial

Commercial Lines

Human Resources

QA & Agency Interface

CIRT

Internal Audit

Executive Team Liaison

General Counsel

Personal Lines

IT Enterprise Applications

SBS Project Development

Financial Operations

Finance & Risk Mgmt

Incident Response (& Mgmt) Critical Infrastructure/Support

Direct Customer-facing Areas

BCM

Comm

Claims

Other Depts/BU’s…

3/27/2015

4

Enterprise-wide is also Approach-Shifting(Process-based vs Scenario-based plans)


13

13

PROCESSESApplications /

Software

Equipment

Supplies

Vital

Records

Com.

Devices

Teams

Employees

Providers /

Vendors

Customers

Tasks

Procedures

Agents and/or

Policyholders

Suppliers

and/or Vendors

① BU’s Identify Process Resource Requirements… ② Then common dept tasks… ③ And then broad scenarios…

Overlay with Company Strategic Responses

_________________________________________________________________________________________________________

Building Outage

Technology Outage

Inclement Weather / Regional Disaster

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

Pandemic (Workforce Red)_________________________________________________________________________________________________________

Dept BC Plan

Process

Process

Process

Process

Process

---------------------------------------

---------------------------------------

---------------------------------------

---------------------------------------

---------------------------------------

Dept/BU Leadership Checklist

- Account for Employees- Determine Critical Staffing needs- Report Status- Determine escalation/activation- (etc., etc….)

Process Tasks

Enterprise-wide Bridges Gaps


14


Software

Equipment

Supplies

Vital

Records

Com.

Devices

Teams

Employees

Providers /

Vendors

Customers

Tasks

Procedures

Agents and/or

Policyholders

Suppliers

and/or Vendors


Software

Equipment

Supplies

Vital

Records

Com.

Devices

Teams

Employees

Providers /

Vendors

Customers

Tasks

Procedures

Agents and/or

Policyholders

Suppliers

and/or Vendors

• Focus/Highlight BIA and Business Process Prioritization

• Ensure the correct level of IT DR, given the ‘ultra-low

tolerance for latency’ world in which we operate today

• Ensure the business has the correct IT DR expectations

• Address Work Area Recovery/Continuity

• Keep Management involved and continuously updated

Requires Enterprise-Wide Incident Coordination


15

Incident Commander (IC)

Person “In-Charge”

Named at T.O.D.

Finance & Risk Mgt

Finance Lead

Personal Lines

P & I Co-Lead

Corp Communications

Logistics Co-Lead

HR Back-up #1

Infrastructure Co-Lead

IT Operations

CC Back-up #1

Executive Liaison

Actuarial

Strategy Team

Co-back-ups- SVP’s

CEO

Strategic Oversight

Infrastructure Co-Lead

IT Disaster Recovery

Internal Audit

Human Resources

Logistics Co-Lead

IT Back-up #1

Commercial Lines

Field Agency Marketing Gov’t Affairs

SBS Project Dev

Facilitation by BCM

Site Services

SS Back-up #1

Gen Counsel

CC Back-up #2 HR Back-up #2Back-up #2

- VP’s and Sr Directors

Customer Service

P & I Co-Lead

QA & Agency InterfaceClaimsIT Ent Applications Financial OperationsHR

HR

Corp Comm

Corp Comm

IT Back-up #2

P&I Back-up #1 P&I Back-up #2 Finance Back-up #1

Finance Back-up #2

Legend: = Command

= Infrastructure = Logistics

= Finance= Planning & Intelligence

Our Enterprise-Wide BCM Model


16

(Design and Guidance)

(Making Ready)

(Should there be a need…)

Company/Infrastructure Readiness

• Employee Preparedness, Policies and Communications

• Facilities Preparedness, Mitigation, Emergency Response and Security

• IT Preparedness, Mitigation and IT Disaster Recovery

Department Business Continuity Plans

• Plan Design and Development

• Training and Exercises

• Each Department is responsible for its own BC Plan and Readiness

Incident Response (& Mgmt)

(Design and Guidance)

(Making Ready)

(Should there be a

need…)

• CIRT (Corporate Incident Response Team) comprised of key stakeholders

− Centralized management of all incidents – including Catastrophes

− Escalates/Communicates with Executive Leadership, as necessary

• Response Protocols for each Satellite Office

Business Continuity Committee

3/27/2015

5


17

Enterprise BCM Program Component Terms/Definitions

Business Continuity Management (BCM): “Holistic management process… provides a framework”

Incident Response (our CIRT): “…may include evacuation of a facility… performing… measures necessary to bring an organization

to a more stable status”

Facilities/HR – Emergency Preparedness/Response: “The capability… to respond to an emergency… to prevent the loss of life

and minimize injury and property damage”

IT – Disaster Recovery (DR): “The technical aspect of business continuity… infrastructure, telecommunications, systems,

applications and data…”

BCM/Facilities/HR/IT/BU’s – Work Area Recovery: “The component… that deals specifically with… relocation of… personnel…

workspace… complete with necessary office infrastructure.”

BU’s – Business Continuity Plan (BCP): “…procedures… to respond, recover, resume and restore… to ensure the continuity of

critical business functions”

Enterprise BCM Program Component Expectations


18

• BCM Committee: Collaborative Oversight and Readiness; Promotes ‘good organizational habits’

• BCM Program Office: Provides BCM leadership, framework, development, expertise and support services

• BCM/Risk “Owners”: Sign annual attestation; their designated “Liaisons” perform the work in advance

• Corporate Incident Response Team (CIRT): Management team responsible to lead and manage response to any

circumstance (incident, crisis, catastrophe/disaster and alike)

• Emergency Preparedness/Response: Facilitates 1st response to emergencies: evacuation, ‘shelter in-place, lockdown

and alike. Further direction/support from CIRT. MERT for medical emergencies

• IT Disaster Recovery (DR): “Warm site” data center in Rochester; replicates data and used for ‘fail-over’

• Work Area Recovery: Initially Work from Home; complimented by Agility Recovery to provide 144 ‘seats’; includes

equipment and connectivity to our networks via office space, mobile units, generators and satellites

• Business Continuity Plans (BCP’s): Department protocols to help manage from incident occurrence, to and through the

point of continuing critical department processes; includes IT DR and/or Work Area Recovery

Then…Communicate BCM in Common Sense

• Business Continuity is the advanced planning and preparation for things that can happen –

and then being ready to respond when things do happen

• What does that really mean? (Hint: You won’t find it in a binder, or on a software tool…)

• “It’s in the Planning, not the Plans” BCM is an embedded organizational culture that promotes

continuous planning, preparation and making the business ready to respond

• We understand people come first, but doing our jobs become priority once safety is addressed

• Which means, every employee has a role in business continuity

• Every employee must be fully prepared at work and at home, including their families


19

Recommended Management Strategies

1. Start a BCM Committee

– Dept Heads from: Facilities, IT, Corporate Communications, HR and Key Customer-facing BU’s

– Use Risk-based (ERM) / Best Practices approach, and establish that BCM is a “Show-Stopper”

2. Establish an Incident Response and Management Team (both Members/Protocols)

3. Leverage ‘like-minded’ efforts that are already established. Use BCM Committee to consolidate

and update (possibly agree for BCM to take the lead on integration/improvement)

4. Gain Senior Management approval for a 2- to 4-step design/re-design and deployment strategy

– Begin 1st step ASAP!

5. Provide regular updates and recommendations to Senior (C-level) Executive Management

6. Leverage Corp Comm to socialize BCM to entire company as much as possible… Be Creative!!!


20

3/27/2015

6

Recommended Employee Strategies

1. Highly promote that all employees prepare themselves and their families:

– Develop an Awareness Campaign

– Lots of help out there! e.g. Red Cross: “Get a Kit. Make a Plan. Be Informed.” (http://arcbrcr.org/#SITE)

– Download local alert apps for weather and other emergencies (In NY, www.nyalert.gov)

2. Highly encourage supervisors/subordinates exchange critical contact information

3. Everyone has a role, is expected to do something during an incident… even if just a phone call

– Know where to go and what to do, even if it’s home. (If you don’t know, ask)

– We understand that family comes first. Give management the courtesy of knowing your situation and

strive to make yourself available. (This is our place of both customer commitment and employment)


21

When can we communicate that we have achieved

Enterprise-Wide Business Continuity?

• Business Continuity Committee – Confluence and Oversight

• BCM Program Office – Facilitation and Expertise

• Each Department Head is a BCM Plan Owner – Accountability & Ultimate Responsibility

– IT Depts (including DR) are included in this!

– Signs Attestation that BCP is Viable/Actionable, and that SVP’s/Employees are Informed/Trained

• Business Continuity Liaison – Plan Owner-designated Single-Point-of-Contact

– Facilitates information-gathering and plan development (as well as data input and BCM activities)

• Incident Response & Management – Protocols to Ensure a Defined Team is Organized/Ready

[Note: Make it a goal this year or next, to report Residual Risk Tolerances to BOD Audit Committee]


22

Enterprise-Wide Business Continuity

It’s in the Planning, not the Plans!

Q & A

Thank you,

Dave Prosser, MBCP

[email protected]


23

http://arcbrcr.org/#SITE

http://www.nyalert.gov/

mailto:[email protected]

the 13th annual continuity insights management conference... · 3/27/2015 3 1st step…pick the...

Documents