zero disruptions workshop strategies and solutions for maintaining business continuity calvin (cal)...

Zero Disruptions WorkshopStrategies and Solutions for Maintaining

Business Continuity

Calvin (Cal) Beyer5th Annual PDCApril 18, 2013

Your Presenter: Cal Beyer

• 25 years of insurance industry experience• Multi-industry risk management thought leader• Former National Officer of Construction Financial Management Association• Author/co-author of articles on emergency management, critical incident

response, reputation risk and business continuity • Co-author of CFMA Business Continuity “Lessons Learned” resource• Co-developer of CFMA Emergency Management continuing education course

– Co-presented CFMA’s EMP course annually since 2007 at Annual Conference

– 30 presentations (2006-2010) for 2,400+ financial and operational professionals

• Keynote speaker at Rockwell Automation’s 2012 Safety Automation Forum• Co-presenting at 2013 ASSE Professional development Conference in Las Vegas

Risk Leadership

Source: Artwork by Jen Olney(@GingerConsult & #Bealeader)

Insurance and Risk Management Strategies & Resources

Emergency Management & Business Continuity Fundamentals

Disruptions and Vulnerabilities

Strategic Risk Management & Resiliency

Discussion Topics

Icebreaker

• How many different industries and segment are represented in today’s session? Examples: – Manufacturing (automobile, food, machinery, pharma, etc.)– Construction (Heavy/Highway, GC/CM, specialty trade)

• What are the functional responsibilities of today’s attendees?

• How effective is your company’s Emergency Plan?– Formal (written procedures)?– Current (last revised?)– Basic or Comprehensive?– On the shelf or tested in practice?

Disaster Response to Zero Disruptions

4 distinct phases of training sessions: 1. Disaster response

2. Emergency planning and preparedness

3. Crisis management and reputation risk

4. Zero Disruptions

Leadership Lessons from Nashville FloodColin Reed; Chairman & CEO, Ryman Hospitality Properties

(Formerly Gaylord Entertainment)

• The time for creating an emergency plan is not during the emergency– Prepare an emergency manual that outlines the potential

"events" and "responses."

• Build the "right" culture of leaders, management and employees

• Communication has to be direct and honest during an emergency

• “We are a better company because of what we went through."

Source: DeVries, M.J. (2010 August 16). Best Practices Construction Law. http://www.bestpracticesconstructionlaw.com/2010/08/articles/leadership/colin-reed-leadership-lessons-from-nashvilles-flood-recovery/

8

It Could Happen Tomorrow: Reality TV?

• The Weather Channel (www.weather.com)

• “… unbelievable yet possible acts of nature which could spell disaster for cities across America”

• Hurricane Katrina “predicted” before it hit New Orleans– Pilot episode completed in April 2005 on hypothetical category 5

hurricane striking New Orleans… but did not air until June 2006– Substituted with hurricane striking NYC thereby “predicting”

2012 Super Storm Sandy

Key Risk Management Principles

• Risk management processes– Decision making – Business improvement

• Tangible and intangible assets are “at risk”• “Frequency breeds severity” • “Prevention is better than mitigation”

– Mitigation is better than litigation• Indirect (uninsured) costs are a multiplier on direct

(insured) costs

Productivity

Quality

Risk

Safety

Integrated Risk Management Model: PQRSLevers for Profitability

Source: Copyright 2010. Construction Financial Management Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning continuing Association. Emergency Management Planning continuing education course. All rights reserved. Used with permission. education course. All rights reserved. Used with permission.

11

7 Types of Business Risk

Risk Management: Simple Definition

“The preservation of an organization’s

human and financial resources”.

Preservation = Conservative Approach

Strategic Risk Management: Definition

“The preservation and leveraging of an

organization’s human, financial and strategic assets.”

Leveraging to Seize Strategic Opportunities Based on Risk to Reward Ratio

Zero Disruptions: Integrated Framework

Crisis Communication

Enterprise Risk Planning

Business Continuity

Emergency Management Planning

& Disruption Prevention

Source: Copyright 2010. Construction Financial Management Association. Emergency Management Planning continuing education course. All rights reserved. Used with permission

Crisis CommunicationsCrisis CommunicationsSupply Chain ResilienceSupply Chain Resilience

Business ContinuityBusiness ContinuityEmergency PlanningEmergency Planning

Zero Zero DisruptionsDisruptions

Zero Disruptions: Interrelated Disciplines

Exercise #1: Real Disruption Events

Individually brainstorm the following question:

What types of events can disrupt

ordinary business operations?

Examples of Business Disruptions

EarthquakeEarthquake Fatality accidentFatality accident Loss of key personnelLoss of key personnel

FireFire Power outagePower outage Labor strikeLabor strike

FloodFlood IT system crashIT system crash VandalismVandalism

Tornado/HurricaneTornado/Hurricane Workplace violenceWorkplace violenceDemonstrations Demonstrations

or riotsor riots

Blizzard/Ice stormBlizzard/Ice storm Equipment theftEquipment theft Chemical/HazMat spill Chemical/HazMat spill

Dam/Levee breakDam/Levee break Hacker/virusHacker/virus Supplier insolvencySupplier insolvency

Structure collapseStructure collapseBreach of privacy dataBreach of privacy data TerrorismTerrorism


Real Examples of Business Disruptions

• 45 attendees at 2011 CFMA Conference generated 36 real life disruptions that interrupted corporate operations or project activities

• 6 general grouping of disruptions: 1. Natural Disaster or Fortuitous Risk2. Utility Outage3. IT/Computer Problem4. Supply Chain Interruption5. Operational Risk6. Financial Problem

Natural Catastrophes vs. Man-Made (Technological) Disasters

Natural CatastrophesFloods, storms, hurricanes, tornadoes

Earthquakes and landslidesDrought, fire, heat

Ice storms

Man-made DisastersMajor fires or explosions

Utility emergencies IT & telecom failures & Cyber-security breaches

Aviation, shipping and rail disastersCollapse of dams, buildings, bridges

Pollution and hazardous materials spills Crime, war and terrorism

Pandemic flu

Tendency to Over-Emphasize Nat Cats; Increased Vulnerability to Man-Made Disasters

Characteristics of Disruptions

Type: Natural events vs. man-made (technological)

Probability: Likely vs. unlikelyForeseeability: Expected vs. unexpected

Frequency: Recurring vs. random

Scope: Emergency vs. disaster

Scale: Isolated vs. widespread

Severity: Minor vs. major

Exercise #2: Adverse Consequences

Individually brainstorm the following question and be

prepared to share examples with the group:

What are the possible types of adverse

consequences or outcomes of not having an

effective emergency management plan?

Adverse Consequences of Disruptions

• Breach of contract• Loss of reputation and

goodwill• Relocation of business • Absenteeism and attrition• Labor shortage

• Personal injuries • Fatalities• Service interruption• Broken supply chain• Cash flow crisis• Financial default• Bankruptcy


Reality Check: Austere Consequences

• What is the cost of “down day”?– “Down week”– “Down month”

• Temporarily relocated business?

• Permanently shuttered business?

Typical Recovery Time Objective: Resumption of Normal Business Activities Within 24 Hours

Exercise #3: Benefits & Positive Outcomes

Individually brainstorm the following question and be

prepared to share examples with the group:

What are the possible benefits and positive

outcomes of having an effective

emergency management plan?

Benefits of Emergency Management Plans

Reduce business disruption

Protect human, physical and financial assets

Maintain sustainable cash flow

Preserve customer base

Continue supply of services/products

Maintain reputation and public confidence

Preserve investor / creditor confidence

Mitigate legal liability

Maximize insurance recovery and reduce insurance costs, etc.

Elements of Emergency Plans

Purpose and policy statement

Authority and responsibilities

Types of emergencies Vulnerability assessment Emergency operations

center and procedures

Business continuity protocols

Crisis management and communication protocols

Site maps Evacuation procedures Resource lists

Internal External

Vulnerability Assessment

• Need for vulnerability assessment to determine priorities for planning

• Over-emphasis on natural disasters

• Under-emphasis on man-made or technological threats– I.T./business continuity and utility outages – Supply chain: Contingent risks and interdependencies

Example Risk Matrix

Source: www.fdicoig.gov (2005).

• Probability vs. Severity (Likelihood vs. Impact)

Strategic “Blind Spot”

Incomplete Information

Undetected Early Warning

Signals

Strategic “Blind Spot”

Lack of Prior

Experience


Exercise #4: Your Company’s Vulnerabilities

Individually brainstorm the following question and be prepared to share examples with the group:

1.What are the top 3-5 vulnerabilities your company faces?

2.Rank them on probability (high-medium-low) and on impact (catastrophic-critical-marginal).

3.How well prepared is your company today to addressing these top areas of vulnerability to disruption?

Crisis Risk Management and Corporate Reputation

CorporateReputation

(CR)

Crisis RiskManagement

(CRM)

OrganizationalCrises

Sustained CR = Sustained Competitive Advantage

Corporate Reputation (CR)Confidence

EsteemRespect

Trust

EmergencyManagement &

Business ContinuityPlan

Disaster ResponsePlan & Crisis

CommunicationProtocols

Crisis Risk Management (CRM) Practices

Enterprise Risk Planning Post-Crisis Recovery

Vulnerability Assessment Time of Crisis Response

Risk Analysis Pre-Crisis Planning

Exposure Identification Awareness/Readiness

Leadership &Management

Internal Problem

Policy/EthicsOperational

Micro-economic

Marketing & PublicRelations

External Event

Image/MediaEnvironmental

Macro-economic

Exposures + Perils =Risk

Beyer, C.E. (Jan-Feb 2010). The impact of crisis risk management on corporate reputation. Building Profits. Construction Financial Management Association.

Crisis Risk Management & Corporate Reputation

Risk and Reputation

• Becoming or remaining an employer of choice – Experiencing less voluntary employee attrition

• Retaining existing customers & attracting new customers• Expanding market share • Enhancing the ability to forge strategic partnerships and alliances• Differentiating from competitors

– Charging premium prices or gaining market share

Key Challenge: Creating a Sustainable Competitive Advantage

Strategic Risk Management

1. Strategic risks emanate from tangible and intangible assets– Brand, market position and competitive advantage

2. Shift from reactive disruption recovery to proactive disruption prevention

Examples of Strategic RisksCompany image and corporate reputationKey relationships, including partnerships and strategic alliancesAvailability of capital and creditPatents and other Intellectual PropertyAdoption of technology and other innovationsEmerging substitute products and services

Economies of scope and scaleChanging political and regulatory climateMergers and acquisitions and new competitors/suppliersContraction, divestiture or bankruptcy of existing competitors or suppliersShifting customer preferences

Opportunity to Leverage Safety as C-Suite Concern

Key Learning: Attitude of Invincibility

• Attitude of invincibility prevails– Less than 20% of workshop attendees acknowledge having

a written or formal program

• Invincibility stems from:Comfort Zone = ComplacencyPriority of today’s business demandsRandomness and bad luck of eventsOverwhelming processIt can’t be that badLighting doesn’t strike twice

Emergency Management Process

Pre-Crisis Activities Post-Crisis Activities

PLANNING PREPAREDNESS PREVENTION RESPONSE REMEDIATION RECOVERY


Emergency Management Planning Fundamentals

1. Does your company have a formal, written emergency plan?

2. Has this plan been disseminated and posted throughout the company?

3. Have all employees been trained on the plan?

4. When was the last formal update completed for your plan?

5. Has your company conducted tests or drills on this plan?


Needs Assessment -- Does Your Plan Include:

1. Vulnerability assessment?2. Probability Analysis?3. Business continuity plan for

data recovery?4. Emergency operations

procedures?5. “Go boxes/kits” of key

records/data?6. Evacuation procedures and

drills?7. Centralized meeting place(s)?

8. Critical Incident Response protocol

9. Internal resource lists (e.g., telephone trees)?

10. External resource contact lists?11. Crisis media management plan

with designated spokesperson? 12. Communication systems

protocols for customers, suppliers, employees, business partners and stakeholders?

Insurance & Risk Management Review

1. Solicit professional assessment of your company’s insurance and contractual risk– Determine what is insured and what is not insured– Ensure submission has current valuation for buildings and equipment– Understand contractual obligations– Evaluate adequacy of coverages and policy limits– Understand basis of recovery: Replacement Cost vs. Actual Cash

Value– Run various scenarios for potential impacts on business income and

extra expense• Evaluate need for Business Interruption (BI), Contingent BI and

extra expense -- and understand waiting period(s)

Insurance/Risk Mgt Review (con’t.)

2. Undertake comprehensive risk assessment evaluation– Assess vulnerabilities and interdependences– Institute corrective actions and plan future improvements

3. Evaluate need for tighter contractual controls– Add insurance requirements and indemnification language– Legal and risk management review of “critical clauses”– Add subcontractors’ emergency preparedness to pre-qual criteria– Ensure contractual risk transfer execution and documentation

exists at project level• Do not allow work to start without executed contracts

Business Continuity Planning

• Design• Security (controls and enforcement)• Redundancy• Backup (offsite storage, archiving, and retrieval)• Backup of operating system, too! • Testing• Auditing

“Achilles Heel”: IT & Cyber-Risk

• “Known-unknowns” or “unknown-unknowns” vulnerability• Privacy data breach: financial and reputation risk • Malware, hacking, viruses• Theft of laptops, hand-held devices & retrievable storage

devices

Risk Horizon Scan: Top 5 Threats (2012)

• As ranked by extremely concerned and concerned respondents

1. Unplanned IT and telecom outages (74%)2. Data breach -- loss or theft of confidential information (68%)3. Cyber attack -- malware, denial of service(65%)4. Adverse weather -- windstorm/tornado, flooding, snow, drought

(59%)5. Interruption to utility supply -- water, gas, electricity, waste

disposal (56%)

Source: Horizon Scan 2012 Survey, Business Continuity Institute42

Business Continuity Institute

• 4th Annual Supply Chain Resilience Survey– Download available with registration @ www.TheBCI.org

• 530 respondents in 65 countries• “origins, causes and consequences of supply chain disruptions…” • Increasing frequency, severity, disruption, consequences and costs• 73% of respondents had at least 1 disruption (ave = 5)• 39% below Tier 1• Top 3:

– IT/telecom (52%– Weather/Nat Cat (48%)– Sourcing provider failure (35%)

http://www.thebci.org/

Leading Sources/Causes of Data Breaches

• 95% of breaches stem from 3 sources:1. Loss or theft – 44%2. Hacker – 32% (75% of exposed records)

3. Rogue employee – 19%

Source: “Cyber liability and data breach insurance claims”; NetDiligence, June 2011

44

Costs of Data Breaches (Direct and Indirect)

• Required notification/communication• Hosting call center for customer inquiries and support• Credit monitoring services• Crisis management services (legal and public relations)• Forensic investigation• Business interruption (loss of income, cost to recreate lost data, extra

expenses)• Regulatory fines• Restitution• Legal liability • Reputation

45

• $60 billion global cyber security spending1

• 10% growth over the next 3-5 years1

• $10.2 billion in cyber security deals for first half of 20111

• $75.63 billion spent by US companies on IT security2

1. The 2012 Global State of Information Security Survey®, a worldwide survey by CIO Magazine, CSO Magazine and PwC.” .

2. Ponemon Institute, http://www.thefiscaltimes.com/Articles/2011/09/

Statistics on Cyber Security

46

http://www.thefiscaltimes.com/Articles/2011/09/

IT and Business Continuity Risk Management

• Train employees on safeguarding data, hardware and portable device security

• Audit clean desk policy and data security protocols• Review vendor contracts to understand mutual contractual

obligations for confidentiality/non-disclosure and risk transfer• Request business continuity plan from critical business

partners • Deploy data encryption • Develop incident response planning • Configure networks using multiple firewalls• Update anti-virus software regularly

47

IT and Business Continuity (con't.)

• Employ anti-virus software on all hardware and portable devices

• Scans incoming email attachments for virus• Back-up network data and configuration files daily• Test business continuity disaster plan, including data recovery

protocols using archives from offsite data centers• Install and test upgrades and security patches within 24 hours

of notification• Conduct scenario exercises and simulation exercises to

understand exposures and to identify vulnerabilities

48

Immediate Next Steps

1. Undertake insurance and risk management review2. Institute a planning team

– Make it a team sport and a contact sport– Interdisciplinary approach

3. Identify vulnerabilities– Assess potential for disruption– Determine expected frequency– Quantify the likely and worst-case scenario

4. Inventory existing internal resources5. Determine available external resources6. Develop, disseminate and drill on new plan

Individual Exercise: Action Steps

• Identify 3 critical gaps in business resiliency or continuity Identify 3 critical gaps in business resiliency or continuity planning for your company.planning for your company.

• Based on the information you have learned today, identify 3-5 Based on the information you have learned today, identify 3-5 specific tactics/strategies you will take at your company in key specific tactics/strategies you will take at your company in key areas:areas:• Emergency planning/preparednessEmergency planning/preparedness• Business continuity/resiliencyBusiness continuity/resiliency• Crisis management & communicationCrisis management & communication

Appendix: Additional Resources

• Know Your Stuff® – Home Inventory

• Insurance Information Institute's free online home inventory software (http://www.iii.org/)

http://www.iii.org/index.html

CFMA Louisiana Joint Chapter CFMA Louisiana Joint Chapter Conference in New Orleans Conference in New Orleans (March 2006)(March 2006)

Copy available upon request Copy available upon request

Business Continuity Planning Checklist

5353

Emergency Management Guide for Business and Industry http://www.fema.gov/library/viewRecord.do?fromSearch=fromsearch&id=1689

Sample Emergency Plan Resourceswww.ready.gov/business/

Protect Your Workplace: Cyber-Securityhttp://www.us-cert.gov/reading_room/

Business Continuity and Emergency Planhttp://www.ready.gov/business/_downloads/sampleplan.pdf

Downloadable Government Resources

Crisis Care Networkwww.crisiscare.com

Critical incident response

The Lukaszewski Group, Inc. Division of Risdall Public Relations http://www.e911.com/Crisis communications

Critical Incident Response & Crisis Management

http://corp.crisiscare.com/

http://webstore.ansi.org/

Bernstein Crisis Management, Inc.www.bernsteincrisismanagement.com/

Guide to Business Continuity Management, 2nd editionhttp://www.protiviti.com/en-US/Pages/Guide-to-BCM-2nd-Edition.aspx

Additional Resources

56

www.supplychainriskinsights.com

•Zurich North America’s co-branded microsite with Wall Street Journal•Repository for thought leadership on supply chain risk management topics

Supply Chain Risk Management Resource

The Financial Management of Cyber Risk: An Implementation Framework for CFOs

http://webstore.ansi.org

Cyber Risk Resource

http://webstore.ansi.org/

Cal BeyerMurray Securus

39 N. Duke StreetLancaster, PA 17608

Phone: 717.397.9600www.murrayins.com

[email protected]

www.linkedin.com/in/calvinbeyer/

@riskleadership & @ContractorRisk

Contact Information

http://www.murrayins.com/

zero disruptions workshop strategies and solutions for maintaining business continuity calvin (cal)...

Documents