Presentation on theme: "Business Continuity Planning Rising from the Ashes - practical insights on recovering from a Disaster."— Presentation transcript:
Business Continuity Planning Rising from the Ashes - practical insights on recovering from a Disaster
PwC Agenda 1.Disasters and news events 2.Tracker Case Study 3.Ceres earthquake 4.What is Business Continuity Planning 5.Why BCP (incorporating King III) 6.BCP and Risk Management Framework 7.What Auditors look for 8.The Real Solution 9.Practical Considerations 2
PwC A disaster could strike at any time Is your organisation prepared? 3
PwC Disasters 4 In the past few years some major South African businesses were impacted by severe fire damage to facilities. Tracker – Head Office burnt down overnight Paarl Gravure Paarl Print - 13 people died CERES (collapse of racking) BOKOMO (fire) SARS – Umhlanga offices Electricity failures Service delivery protests Globally Economic crisis – loss of major suppliers Toyota – major recalls Internationally Natural disasters – Japan, Haiti, Thailand, Pakistan, USA London riots
PwC Lloyds of London hit by record catastrophic claims - £ 526m loss last year Biggest Insurance loss recorded since 9/11 The 324-year-old insurance market, which operates out of Richard Rogers's famous "inside-out building" in London, paid out £4.6bn in disaster claims after earthquakes in Japan and New Zealand, storms in the US and floods in Thailand and Australia. Total catastrophe claims for the global industry reached $107bn (£67bn) last year, according to insurer Aon Benfield.JapanNew ZealandThailandAustralia The unprecedented series of natural disasters forced up the total Lloyd's payout to £12.9bn, or £1.07 for every £1 paid in premiums last year.. 5
PwC Extreme weather events increased significantly over the past decade Extreme weather events over the past decade have increased and were "very likely" caused by human-induced global warming, according to a study in the journal of Nature Climate Change.study in the journal of Nature Climate Change Recent years have seen an exceptionally large number of record-breaking and destructive heatwaves in many parts of the world and research suggests that many or even most of these would not have happened without global warming. 6
PwC Tracker Case Study Fire started at approx 2am on 17 Jan 2010 Local residents called Fire services Entire top floor was destroyed which housed their call centre – 3:30am and fire was still raging Senior management team assembled at their recovery site - 4am Started executing their Business Continuity Plan. Plans based on 9/11 type scenario Call centre was operational by 5:30am People played a major role No disruption to their services Fully operational on Monday morning 6am when staff arrived for work. 7
PwC Tracker Case Study Gareth Crocker, Communications Manager for Tracker left the following comment at 11am: “I would just like to let everyone know that Tracker's emergency call centre was recently moved from that building and escaped unscathed. We have a disaster recovery site and plan for this kind of thing which we are rolling out as we speak. We don't anticipate major disruptions to our business come Monday morning.” 8
PwC Ceres earthquake of 29 September 1969 9 The most destructive earthquake in South African history struck the Ceres area at 22H03 on the 29th of September 1969. Its magnitude was 6.3 on the Richter scale. The shock was felt as far as Durban (1175Km). The earthquake was followed by a number of aftershocks, the most severe of which was on the 14th of April 1970. (5.7 on the Richter scale) During the earthquake, even well-constructed brick houses were extensively damaged. Nearly all the roads in the area were cracked, pipelines were broken and tombstones fell. Fortunately none of the dams in the area failed, although the earth walls of some were cracked. Extensive fires ravaged the mountains due to sparks caused by falling rocks and screeslides. The duration of the main shock was 15 seconds. The accumulation of forces over time will probably cause another earthquake in the future.
PwC Business Continuity Business continuity describes the processes and procedures an organisation puts in place to ensure that essential functions can continue during and after a disaster. Business continuity planning seeks to prevent interruption of mission-critical services, and to re- establish full functioning as swiftly and smoothly as possible after any interruption. No organisation wants to suffer a breach of its information security defenses. But even the best defences are not always failsafe. It therefore needs a 'business continuity plan' (BCP) which sets out the actions to be taken to restore business as usual after a critical incident. However, it is better if the breach can be avoided, so organisations put in place pro-active controls to help minimise and manage risks. 12
PwC People over plans every time 13 5% 20% 35% 40% Paradigm Shift Solution Elements People Infrastructure Paper plans Analytical reports PerceptionReality 65% 30% 5% 0% Extensive research clearly shows that in a real crisis people rarely look at plans People are by far the most important element of a working solution Solution ElementsPerceptionReality
PwC Business Continuity Management Key areas of focus 14 Risk Management Crisis Management Team Project Management Communications Reputation Management Strategic Decisions Stakeholders Recovery Support Identifying Priorities Incident Site Team Site Communications Emergency Services Management Visitors Staff Business Recovery Team IT Recovery Team Business Staff Infrastructure Staff and Client Communications Business Processes Plans IT Staff Backups Computers Modems Plans Servers Networks Phone Systems IT Security
PwC BCP vs. Disaster Management 16 Disaster management focus is on saving and preserving lives and infrastructure in the event of a disaster. The focus is also on providing humanitarian relief to affected persons and rescue and salvage operations. Disaster management should be focused on 4 areas: Disaster prevention Disaster preparedness Disaster Relief Disaster recovery Business Continuity is focused on resuming critical business operations in the aftermath of a disaster
PwC BCP vs. Disaster Management 17 Phew! Thank goodness we all made it out in time…. ‘Course now we are still out of water’ A number of organisations focus on emergency management but ignore the need to recover their business operations! Business continuity management addresses an organisation’s ability to: Limit the effects of a crisis; Provide uninterrupted services; and Ultimately recover from the crisis
PwC Why BCP? 19 King III High risk environment. Reputation and Public image. Reliance on complex systems. Good business sense!
PwC Drivers for BCP – regulatory King II 20 3.1.5. The board is responsible for ensuring that a systematic, documented assessment of the processes and outcomes surrounding key risks is undertaken, at least annually, for the purpose of making its public statement on risk management. It should, at appropriately considered intervals, receive and review reports on the risk management process in the company. This risk assessment should address the company’s exposure to at least the following: physical and operational risks; human resource risks; technology risks; business continuity and disaster recovery; credit and market risks; and compliance risks.
PwC IT Governance 21 King III IT should form an integral part of the company’s risk management Recommendation Management should regularly demonstrate to the board that adequate business resilience arrangements are in place for disaster recovery The board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered Practical Considerations Business Continuity Planning and DRP Awareness of IT related laws and regulations
PwC IT Governance 22 KING III Risk committee and audit committee should assist the board in carrying out its IT responsibilities Recommendation The risk committee should ensure that IT risks are adequately addressed The risk committee should obtain appropriate assurance that controls are in place and effective in addressing IT risks The audit committee should consider IT as it relates to financial reporting and the going concern of the company Practical considerations IT risks covered as part of ERM process IT should be on agenda of Risk and Audit committee meetings Audit committee to consider IT risks as it relates to : Financial Reporting Going Concern
PwC BCP and Risk Management 23 Risks threaten Controls mitigate risks – to an extent Risks can impact Impact results in aftermath – “mess” The mess needs to be cleaned up Aftermath issues are generic BCP should focus on aftermath
PwC RISK MANAGEMENT SAFETY NET 24 Threats Strategic Financial Operational Legal Impact massive disruption to business operations significant financial loss loss of customers and market share loss of vital information - computers and documents adverse media coverage and poor image political embarrassment legal claims for negligence and breach of contract increased insurance premium theft of equipment and resources poor staff morale management lose control and cannot cope Your Business Shield access controls hazard avoidance hazard detection hazard suppression redundancy/duplication/diversity backup culture and awareness Shield How Does BCP Fit Into a Risk Management Framework? Crisis Manage ment Operational Continuity Technology Disaster Recovery Aftermath Issues operations people technology - IT and voice facilities financial media legal customers and suppliers Impact Aftermath Issues
PwC What auditors traditionally look for 25 The Full Scope Approach (can take months): Analysis – risks, criticality, impact etc. Strategy Formulation Documentation Training Testing Maintenance What do Auditors want from a DRP: Documented Plan Recently updated Evidence of Testing Evidence of Risk Assessment and Business Impact Analysis Are you backing up – where? Environmental controls
PwC And it looks like this… 26 Plan Development Business Impact Analysis Minimum recovery resources Range of strategies Draft BCP RFI / RFP costs Cost vs. benefit review Strategy selection Prepare team structure Recovery time objectives Determine impacts (Financial, operational, etc.) Develop ranking criteria Determine business processes Testing & Maint. proce- dures Document final BCP Risk Assessment Perform threat analysis Prepare team proce- dures Structured walk-thru Review existing mitigation program Health Check Strategy Selection Testing and Maintenance
PwC So what is the solution? - BCP FastTrack 27 SIMULATION IMPLEMENTATION TEST RETEST Simulate large scale crisis with team who would manage a real life crisis Involve 3 rd parties e.g. Insurance, Media, Emergency Services Develop recovery plans in follow up workshops Business Units and IT implement infrastructure identified from simulation People who will use and rely on recovery strategies plans, will test them Testing occurs regularly
PwC Simulation 28 People need to be rehearsed in their roles if they are to perform on the day Example – Loss of buildings & telephony simulation
PwC Involve external parties 29 The crisis team negotiate their response with the team members Insurance coverage is confirmed with the Loss Adjusters - with some surprises External media challenge the public relations response People need to be rehearsed if they are to perform on the day
PwC Practical considerations and key lessons? 30
PwC Practical considerations 31 Accounting for all staff and contractors Dealing with the media and issuing press statements Communicating with staff and the public Restoration of call centre and IT systems Sourcing and moving to other premises Re-routing of PABX Staff counselling Limited number of available PC’s Insurance considerations Contracts/documents destroyed Restoring business operations
PwC Rising from the Ashes – key lessons on recovering from a disaster Business Continuity is not just a document – Its an ABILITY People Supporting Infrastructure Action checklists Not a once-off exercise Change management is vital Should be an annual budget 32 Tested IT recovery Good communication Deal with the Media Insurance Review 3 rd parties People first
PwC Conclusion 33 Can your organisation afford a BCP? vs. Can your organisation afford not to have a BCP?