2010 Virginia RIMS and PRIMA Conference October 5, 2010 Business Impact Analysis: The Road Map to Managing Risks
Understanding risks in quantifiable terms provides the roadmap The need for information…
Measures the enterprise- wide impacts to an organization in the event of a major disruption to key business processes Financial $ quantification of specific exposures Applied to internal as well as external processes / facilities Business Impact Analysis (BIA)
The Evolving Landscape BUSINESS Competitive pressure Reduced time to market Margin pressure Operational efficiency High asset utilization Lean manufacturing Corporate governance Regulatory compliance Need for transparency Executive accountability Consolidations Global supply chains & economic conditions Business model complexities / silos
The Evolving Landscape Internal risks Internal risks Traditionally covered ?Traditionally covered ? External risks? Do risk management efforts match?Do risk management efforts match? ⇒ The distinction between internal and external is becoming more blurry ⇒ The property risk blind spot
Pressures lead to increasing risks and accountability to manage risk
And yet…
8 SUPPLY CHAIN MANAGEMENT QUALITY MANAGEMENT RISK MANAGEMENT DISASTER RECOVERY FACILITIES MANAGEMENT & RISK IMPROVEMENT SECURITY CRISIS COMMUNICATIONS & PUBLIC RELATIONS HEALTH & SAFETY KNOWLEDGE MANAGEMENT EMERGENCY MANAGEMENT Response: The BCM ‘umbrella’ Courtesy of the Business Continuity Institute BUSINESS CONTINUITY MANAGEMENT
Design For Resilience Understand your business Implement your continuity strategies Keep continuity alive Develop your continuity strategies BIA Analysis / prioritization BC / Ops Strategies The BCM Model
A few basic assumptions BCP: Scenario neutral Probabilities Factor into crisis management, not BCPFactor into crisis management, not BCP Outage time is the key consideration with recovery strategiesOutage time is the key consideration with recovery strategies Scope Entire facilityEntire facility Worst case scenarios DO happen… plan on it and you’re ready for anything
To know where to direct limited resources, you must determine which activities are most critical to maintaining continuity and achieving your strategic objectives How would the current level of understanding be assessed? Revenue streams, resilience and risks? Interdependencies between revenue streams? Mitigation capabilities? Ultimate exposures? Design for Resilience Understand your business
Developing BC strategies Prevent losses happening in the first place by protecting your critical processes Make changes now to critical process in your business model to make it more resilient Develop plans that you can implement to maintain your business if the worst happens Specific $ estimates allow for easier cost / benefit evaluation
Information sharing is critical Finance Supply chain Operations Risk Management to create a prioritization map
Execution – Business Model Analysis Firm Infrastructure – Finance Human Resources Information Technology Purchasing/Procurement Inbound Logistics Outbound Logistics Operations Marketing & Sales Service Profit Questionnaires, with follow-up interviews
Dependency Mapping Understanding the relationship between revenue / margin streams and: Locations (can also drive values reporting)Locations (can also drive values reporting) ProcessesProcesses ApplicationsApplications Suppliers (mainly sole sources)Suppliers (mainly sole sources)
Quantification Approach 1.Determine product lines impacted and direct variable margin impacts on a product line basis 2.Evaluate potential interdependent impacts – other revenue streams 3.Determine current replacement / recovery period 4.Assess mitigation capabilities 5.Consider other loss-cost factors Additional expenses, related to mitigation or otherAdditional expenses, related to mitigation or other Customer losses, after recovery; can be huge factorCustomer losses, after recovery; can be huge factor Internal / External Analysis
RTO / MTO Identification Maximum tolerable outage The duration after which an organization’s viability will be threatened if the activity cannot be resumed.The duration after which an organization’s viability will be threatened if the activity cannot be resumed. Recovery time objective The specific target time set for resumption of performance of an activity / process / application, etc. after an incident, which must support the MTO.The specific target time set for resumption of performance of an activity / process / application, etc. after an incident, which must support the MTO. Evaluate the gap from current recoveryEvaluate the gap from current recovery Identification is important, but consider subjectivity Evaluate against specific $ exposure quantifications via worst- case scenarioEvaluate against specific $ exposure quantifications via worst- case scenario
Risk evaluation Consider the relationship between physical risk and impact to the business when evaluating risk mitigation strategies
Resource direction
Some examples… Capet manufacturing: chemical supplier Coal mining interdependency Production bottlenecks Medical device supplier exposures Sr. management / BOD support for BCP / RI efforts Focusing RM resources (RI, BCP, transfer,…) > $400M + Reputation + Market Share + Shareholder Value
BCM more critical Prioritized approach to make manageable $ quantifications with assessment of physical risks$ quantifications with assessment of physical risks Optimizes mitigation strategy selectionOptimizes mitigation strategy selection Framework includes loss preventionFramework includes loss prevention Does the management of internal and external risks match? Summary
Eric Jones, CPA, CVA, CBCP FM Global AVP, Manager, Business Risk Consulting