1. FM Global Business Risk Consulting Group Business Continuity Planning and Analysis: Protecting Business Value Texas PRIMA’s 20 th Annual Conference November 19, 2009

2. Overall agenda Identify key reasons driving Business Continuity Management in today’s global economy Context and Terminology Reasons for developing a Business Continuity Management Program Framework of the strategy and process for developing and writing a Business Continuity Plan

3. Design for resilience Develop your continuity strategies Keep continuity alive Implement your continuity strategies Understand your business Strategy Culture BCM Framework

4. Today’s business environment BUSINESS Competitive pressure Reduced time to market Info available to buyers Operational efficiency High asset utilization Lean manufacturing Corporate governance Regulatory compliance Need for transparency Executive accountability Global supply chains Outsourcing ICT dependency Network interdependencies

5. Today’s business world we know disruptions will occur, but we don’t know when, for how long, or the cause. directors and ‘C-Suite’ officers must be proactive in mitigating risk. an excellent part of being seen to be proactive, is to have a business continuity plan in place. We can’t ELIMINATE risk, but we can at least MANAGE the impact!

6. Terminology How would you define the terms? ERMBCMBCPDRP RTO MTO

7. A question of scope and focus… Strategic OperationalExternal Financial Enterprise risk management… the identification and evaluation of all relevant risks an organization faces, alignment of strategies with risk appetite, and perpetual management of exposures so that entity objectives are achievable. RISK Business continuity management… a holistic management process that identifies potential impacts that threaten a company, provides a framework for building resilience and develops the capability for an effective response to safe- guard the interests of the stakeholders, reputation, brand and value creating activities*. IMPACT *Courtesy of the Business Continuity Institute

8. SUPPLY CHAIN MANAGEMENT QUALITY MANAGEMENT RISK MANAGEMENT DISASTER RECOVERY FACILITIES MANAGEMENT *The Business Continuity Institute 2002 SECURITY CRISIS COMMUNICATIONS & PUBLIC RELATIONS HEALTH & SAFETY KNOWLEDGE MANAGEMENT EMERGENCY MANAGEMENT The BCM ‘umbrella’ Courtesy of the Business Continuity Institute BUSINESS CONTINUITY MANAGEMENT

9. Design for resilience Develop your continuity strategies Keep continuity alive Implement your continuity strategies Understand your business Strategy Culture Business Continuity Plans (BCP) An element of BCM BCM

10. BCP and DRP Business continuity plan… a documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable pre- defined level*. Disaster recovery plan… the management approved document that defines the resources, actions, tasks and data required to manage the recovery effort. It usually refers to the technology recovery effort and is a component of the business continuity management program*. *Courtesy of the Business Continuity Institute and DRI International

11. Confused? ERM BCM DRP BCP

12. MTO and RTO Maximum tolerable outage (also maximum tolerable period of disruption)… the duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed. Recovery time objective… the target time set for: –Resumption of product and service delivery after an incident –Resumption of performance of an activity after an incident –Recovery of an IT system or application after an incident which must support the MTO. Courtesy of the Business Continuity Institute

13. Why Should You Have BCM? What are common reasons for implementing Business Continuity Management?

14. Property Damage Risks - typically considered in isolation –Replacement cost of lost physical assets –Lost value of production/service delivery The Bigger Picture –Failed delivery ► brand damage –Cash-flow volatility ► investor confidence loss –Lost opportunities ► reduced growth potential The Bigger Picture

15. Case Study - University of Adelaide

16. Background Founded in 1874 Over 20,000 students & over 2,500 staff 3 weeks into 2005 academic year, waterline breached releasing over 100K liters of water Water released into a trench directing water downward toward roof of Plaza Building which housed 3 schools, university library, data center, and central air plant for most of the campus Carried 40 tons of silt and mud into Plant Room, IT servers, classrooms and library

17. Case Study - University of Adelaide

19. Mitigation Information Technologies Disaster recovery plan in place and activated Multiple data centers  85% of IT systems back in 36 hours Competent staff available Good relationships with subcontractors Property Services Developed an electrical risk plan Upgraded the AC/Thermal plant room Asbestos abatement program

20. Mitigation (continued) Property Services Move important items from exposed areas (if possible) Raise equipment off the ground Provide back-up generators and related equipment  Agreements in place for 2 hour delivery Protect vulnerable openings with curbing

21. Impact Summary 95% of classes resumed the following Monday 95% of electrical, A/C, fire detection equipment back up by next week Majority of ceilings, floor coverings replaced within a month Impact to IT equipment, projects and resources can be long term  Can take 4 to 6 months to get equipment recertified  “Lose IT for even a month in the middle of the semester, we lose the whole semester”

22. Benefits of BCM 1.Protects the company’s Brand and Reputation. 2.Safeguards and enhances the company’s shareholder value 3.Maintains standards of excellence 4.Helps to optimize and streamline a business or organization 5.Directs a focused IT expenditure 6.Mitigates loss in revenues 7.Enhances customer confidence and assurance on deliverables 8.Demonstrates improved risk quality for insurance purposes 9.Enhances selling-point for contract tenders

23. Companies that manage risk properly and communicate the effectiveness of these efforts to stakeholders could… – gain competitive advantage – boost financial performance – enhance shareholder value – protect the value their business creates In Summary….

24. Protecting Business Value: Effective Business Continuity Planning Framework

25. Design for resilience Develop your continuity strategies Keep continuity alive Implement your continuity strategies Understand your business Strategy Culture BCM Framework

26. Strategy –Engage executive management –Define objectives: managed resilience –Establish steering committee –Think resilience at design not execution –Make business continuity strategic Culture –Elevate and expand continuity awareness –Communicate the benefits widely –Embed continuity in culture: be active not reactive Design for Resilience

27. Design for resilience Develop your continuity strategies Keep continuity alive Implement your continuity strategies Understand your business Strategy Culture BCM Framework

28. Why? In times of crisis, resources – money, people, time, materials – are scarce. You can’t solve everything at once – you need to know where to direct these scarce resources. To know where to direct resources, you must determine which activities are critical to maintaining continuity and achieving your strategic objectives You must Understand Your Business Design for resilience Understand your business

29. The Business Impact Analysis What are the key hazards? What are the credible loss scenarios? What is the quality of risk mitigation within the business? Risk Analysis How much profit do these products and services generate? Where are the costs associated with their delivery to customers? Financial Analysis Business Impact Analysis What are the key facilities and processes that drive revenues and costs, what could go wrong within these and what would be the cost to the business if it did go wrong? How can these exposures be mitigated in order to ensure business continuity and protect shareholder value? Risk Mitigation Opportunities How do products and services flow through the internal and external supply chain? How could these flows be interrupted? Business Model Analysis

30. BIA outcomes Improved protection of critical processes Changes to production/service processes Product range rationalization Dual/multiple sourcing of suppliers Increased levels of key components Continuity plans developed/refined Supplier approval process extended Recovery Time Objective (RTO)

31. Design for resilience Develop your continuity strategies Keep continuity alive Implement your continuity strategies Understand your business Strategy Culture BCM Framework

32. Strategy Objective Make decisions regarding business continuity strategies and identify actions required for the development of a Business Continuity Plan

33. Strategic Objectives Remember… the overriding objectives of a BCP are: –…to reduce the time in which products are unavailable to the company’s key customers and markets –…to maintain an optimum volume of sales to these customers & markets while normal operations are being re- established, and –…to ensure the company’s survival

34. Purpose of Strategy Stop the event Make any interruption “transparent” to your clients Have plans in place to deal with residual risk

35. Strategies: Corporate Tips Tips to keep in mind when developing strategies: 1. Collect available documentation 2. Six key areas for consideration 3. Identify viable strategies 4. Identify resource and asset needs 5. Methodology for evaluation of strategies 6. Consolidate your strategies 7. Formalize the business unit or division strategy 8. Obtain executive commitment

36. Design for resilience Develop your continuity strategies Keep continuity alive Implement your continuity strategies Understand your business Strategy Culture BCM Framework Implement strategies to build resilience Develop response, recovery, and continuity plans

37. …the Business Continuity Plan …the Business Continuity Plan (BCP) provides a framework for decision-making by: identifying necessary actions to be taken assigning roles & responsibilities establishing resources to implement the plan …that will achieve stated strategic objectives set by the board…

38. Minimum operations to achieve survival Normal operations BCM: phases of response Time Service Capacity 100% 0% Incident Response Plan Immediate and short term Emergency Response Plans Account for personnel Damage containment Damage assessment Decision to invoke BCP Disaster Recovery Plan Short to medium term Contact staff, customers and suppliers Recover critical business processes locally Recover work schedule Decision to invoke BCP Business Continuity Plan Short to long term Implement business continuity strategies for critical business processes Address customer base and market impact Implement Business Resumption Plan Unplanned business restoration Decision to invoke BCP

39. Business Unit Plans Provide business function managers with a reference guide early recovery of essential services Identify key internal and external resources Identify mission critical processes Key actions/decisions

40. Design for resilience Develop your continuity strategies Keep continuity alive Implement your continuity strategies Understand your business Strategy Culture BCM Framework

41. Why Plans Fail Do you know the number one reason why BC plans fail?

42. Why Business Continuity Training? Needs a series of complex, interdependent and independent tasks to be executed in a coordinated manner under stressful conditions. All personnel need to know: –What is my role? What do I need to do? –Where should I go? Manuals are unlikely to be read during the incident. Situations will arise which will be alien to traditional styles of management for normal operations

43. To evaluate current BCM competence To identify areas for improvement To validate assumptions To improve confidence To develop teamwork To raise awareness There is no PASS/FAIL, only an accumulation of knowledge Why Business Continuity Training?

44. BCM: Maintenance Is driven from changes in people, processes, market environment, legislation, risk and business strategy. Ensures your plan is current, accurate, complete and exercised. Should be performed at least annually. Maintenance of your plan:

45. Summary Exercise your plans –Design and enact plan exercises –Learn from successes and shortcomings –Revise plans accordingly Maintain and improve –Understand changes to business model –Review and refine continuity strategies –Revise plans accordingly

46. Brian J. Hunt, CPA, CFE, CBCP Senior Consultant FM Global 5700 Granite Parkway, Suite 700 Plano, Texas 75024 972-731-1608 Brian.hunt@fmglobal.com Linkedin:http://www.linkedin.com/in/brianjhunt Protecting the value business creates!

47. Design for resilience Develop your continuity strategies Keep continuity alive Implement your continuity strategies Understand your business Strategy Culture BCM Framework

48. Follow-up at your workplace, question…. Do you know which product/service generates most of your profits? Do you know its path through your business? Who is your most critical supplier and what’s the business impact of their failure? Are validated, updated, tested and reasonable BCPs in place across your business? Can your business withstand a major unplanned interruption?

49. Seven simple questions 1.What is your organization trying to achieve? 2.What products and services does it deliver to achieve this? 3.Which markets does it deliver them to? 4.What processes enable their delivery? 5.How much money do they generate? 6.What could happen to stop these processes? 7.What would happen if these processes stopped?