2010 Virginia RIMS and PRIMA 2010 Virginia RIMS and PRIMA ConferenceConference October 5, 2010 October 5, 2010

Business Impact Analysis: Business Impact Analysis: The Road Map to Managing RisksThe Road Map to Managing Risks

Understanding risks in quantifiable terms provides the roadmap

The need for information…

Measures the enterprise-Measures the enterprise-wide impacts to an wide impacts to an organization in the event of a organization in the event of a major disruption to key major disruption to key business processesbusiness processesFinancial $ quantification of Financial $ quantification of

specific exposuresspecific exposuresApplied to internal as well as Applied to internal as well as

external processes / facilitiesexternal processes / facilities

Business Impact Analysis (BIA)Business Impact Analysis (BIA)

The Evolving LandscapeThe Evolving Landscape

BUSINESS Competitive pressure Reduced time to market Margin pressure

Operational efficiency High asset utilization Lean manufacturing

Corporate governanceRegulatory complianceNeed for transparency

Executive accountability

ConsolidationsGlobal supply chains

& economic conditions

Business model complexities / silos

The Evolving LandscapeThe Evolving Landscape

Internal risksInternal risks• Traditionally covered ?Traditionally covered ?

External risks?External risks?• Do risk management efforts match?Do risk management efforts match?⇒ The distinction between internal and external is The distinction between internal and external is

becoming more blurrybecoming more blurry

⇒ The property risk blind spotThe property risk blind spot

Pressures lead to increasing risks

and accountability to manage risk

And yet…And yet…

8

SUPP

LY C

HA

IN M

AN

AG

EMEN

T

QU

ALI

TY M

AN

AG

EMEN

T

RIS

K M

AN

AG

EMEN

T

DIS

AST

ER R

ECO

VER

Y

FAC

ILIT

IES

MA

NA

GEM

ENT

&

RIS

K IM

PRO

VEM

ENT

SEC

UR

ITY

CR

ISIS

CO

MM

UN

ICA

TIO

NS

&

PUB

LIC

REL

ATI

ON

S

HEA

LTH

& S

AFE

TY

KN

OW

LED

GE

MA

NA

GEM

ENT

EMER

GEN

CY

MA

NA

GEM

ENT

Response: The BCM ‘umbrella’Response: The BCM ‘umbrella’

Courtesy of the Business Continuity Institute

BUSINESS CONTINUITY MANAGEMENT

DesignFor

Resilience

Understand your

business

Implement your

continuity strategies

Keep continuity

alive

Develop your

continuity strategies

BIAAnalysis / prioritization

BC / Ops Strategies

The BCM ModelThe BCM Model

A few basic assumptionsA few basic assumptions

BCP: Scenario neutralBCP: Scenario neutral ProbabilitiesProbabilities

• Factor into crisis management, not BCPFactor into crisis management, not BCP• Outage time is the key consideration with Outage time is the key consideration with

recovery strategiesrecovery strategies

ScopeScope• Entire facilityEntire facility

Worst case scenarios DO happen…plan on it and you’re ready for anything

To know where to direct limited resources, you must determine which activities are most critical to maintaining continuity and achieving your strategic objectives

How would the current level of understanding be assessed?

•Revenue streams, resilience and risks?

•Interdependencies between revenue streams?

•Mitigation capabilities?

•Ultimate exposures?

Design for ResilienceDesign for Resilience

Understandyour

business

Developing BC strategiesDeveloping BC strategies

Prevent losses happening in the first place by protecting your critical processes

Make changes now to critical process in your business model to make it more resilient

Develop plans that you can implement to maintain your business if the worst happens

Specific $ estimates allow for easier cost / benefit evaluation

Information sharing is critical

Finance

Supply chain

Operations

Risk Management

to create a prioritization map

Execution – Business Model Analysis

Firm Infrastructure – Finance

Human Resources

Information Technology

Purchasing/Procurement

Inbound Logistics

Outbound LogisticsOperations Marketing

& Sales Service

Profit

Questionnaires, with follow-up interviews

Dependency MappingDependency Mapping

Understanding the relationship between revenue / margin Understanding the relationship between revenue / margin streams and:streams and:

• Locations (can also drive values reporting)Locations (can also drive values reporting)• ProcessesProcesses• ApplicationsApplications• Suppliers (mainly sole sources)Suppliers (mainly sole sources)

Location Product A $15.5M

Product B $100.1M

Product C $75.6M

Product D $355.3M

Location 1 10% 0% 0% 20% Location 2 50% 25% 100% 65% Location 3 100% 100% 100% 100% Location 4 100% 0% 0% 10%

Quantification ApproachQuantification Approach Direct Annual

Impact Interdependent Annual Impacts

Product Lines Impacted

% Impacted

Annual Product Variable

Margin(s) (BI Value)

Annual Product Variable

Margin(s) (BI Value)

Replacement Period - Months

Mitigation - Months Subtotal Rate Amount Rate

Time (months) Amount

Additional Expenses Post-replacement lost sales

1.1. Determine product lines impacted and direct variable margin Determine product lines impacted and direct variable margin impacts on a product line basisimpacts on a product line basis

2.2. Evaluate potential interdependent impacts – other revenue streamsEvaluate potential interdependent impacts – other revenue streams

3.3. Determine Determine currentcurrent replacement / recovery period replacement / recovery period

4.4. Assess mitigation capabilitiesAssess mitigation capabilities

5.5. Consider other loss-cost factorsConsider other loss-cost factors• Additional expenses, related to mitigation or otherAdditional expenses, related to mitigation or other• Customer losses, after recovery; can be huge factorCustomer losses, after recovery; can be huge factor

Internal / External AnalysisInternal / External Analysis

RTO / MTO IdentificationRTO / MTO Identification Maximum tolerable outageMaximum tolerable outage

• The The duration after which an duration after which an organization’sorganization’s viability will be viability will be threatened if the activity cannot be resumed.threatened if the activity cannot be resumed.

Recovery time objectiveRecovery time objective• The specific The specific targettarget time set for time set for resumption of performance of an resumption of performance of an

activity / process / application, etc. after an incidentactivity / process / application, etc. after an incident, which , which must must support the MTO.support the MTO.

• Evaluate the gap from current recoveryEvaluate the gap from current recovery

Identification is important, but consider Identification is important, but consider subjectivitysubjectivity• Evaluate against specific $ exposure quantifications via worst-Evaluate against specific $ exposure quantifications via worst-

case scenariocase scenario

Risk evaluationRisk evaluation

Consider the Consider the relationship relationship between physical between physical risk and impact to risk and impact to the business when the business when evaluating risk evaluating risk mitigation strategiesmitigation strategies

Resource directionResource direction

Phoenix

Dallas

HoustonAustin

San Antonio

Orlando

Charlotte

Denver

Beaumont

60

70

80

90

100

$0 $50 $100 $150 $200

Actu

al R

isk

Mar

k Sc

ore

BI Exposure ($M)

BI Exposure vs. Risk Quality

Some examples…Some examples… Capet manufacturing:

chemical supplier Coal mining

interdependency Production bottlenecks Medical device supplier

exposures Sr. management / BOD

support for BCP / RI efforts

Focusing RM resources (RI, BCP, transfer,…)

> $400M

+ Reputation

+ Market Share

+ Shareholder Value

BCM more criticalBCM more critical Prioritized approach Prioritized approach

to make manageableto make manageable• $ quantifications with $ quantifications with

assessment of physical assessment of physical risksrisks

• Optimizes mitigation Optimizes mitigation strategy selectionstrategy selection

• Framework includes Framework includes loss preventionloss prevention

Does the management of internal and external risks match?Does the management of internal and external risks match?

SummarySummary

Eric Jones, CPA, CVA, CBCPFM GlobalAVP, Manager, Business Risk Consultingeric.jones@fmglobal.com972-731-1613