Rethinking contingency planning for an integrated world

Transcription

1 Business Continuity* January 2010 Rethinking contingency planning for an integrated world Highlights: Increased supply chain complexities require broadened scope of contingency planning. Increasing outsourcing of IT creates new requirements around data recovery. A BCM certification process, under way at the Department of Homeland Security, is likely to set standards. While emergency management remains core, BCM is evolving as a risk management tool that can build the resiliency of business. A disaster occurs every week in the US. Robust business continuity management (BCM) is vital to gauge the business functions and related personnel, systems, facilities, and third parties that are minimally required to help maintain revenue and customer service, protect the brand, and remain compliant. But the best survival manual can quickly become obsolete if it does not keep pace with changes in the business, such as increasing supply chain complexities or new risk exposures due to evolving business models or operating models. Business continuity programs should be updated continually to ensure that they address risks stemming from the interdependencies integral to running a business. Why BCM deserves a fresh look 1. Board committees are seeking resiliency strategies, as recent events, like the H1N1 pandemic threat, highlight vulnerabilities. 2. Many disaster plans are designed by information technology (IT) or centered on IT, leaving other business operations, facilities, people, and third-party dependencies exposed. 3. Businesses continue to migrate toward externally provided functions such as IT, procurement, order intake, and accounting. Contingency planning for major disruptions at service providers forms part of an effective BCM program. 4. Because contingency planning varies widely across industries, a business can be vulnerable due to its suppliers poor business continuity plans.

2 At a glance Putting business back in BCM means widening the scope of BCM programs Standard practices Emerging practices Focused almost exclusively on IT data security and backup systems to create a temporary, alternative working environment Undertaken independently by companies via a variety of methods Centered on surviving a onetime, catastrophic event impacting a company s physical operating ability over a short period of time Created to mitigate internal risks to operations in the event of a catastrophe Performed as a onetime project, yielding a contingency plan that may not keep up with changes in the business Coordinated planning across an organization, considering not only IT but also people, facilities, and third parties for critical operations as diverse as finance, manufacturing, HR, and procurement Utilizes emerging BCM compliance standards for greater compatibility across industries with interconnected supply chains Strengthens a company s resiliency and longevity in the face of disasters and other events causing widespread and longer-lasting disruptions Addresses internal as well as external business interdependencies via plans that incorporate outsourced business and IT processes, people, and third parties Viewed and executed as a sustainable program designed to promote maintenance, training, and testing for continuous improvement and preparedness

3 01 Disruption proofing Increased outsourcing requires a company to manage business continuity with entities outside its direct control Information technology services Production or delivery of your core products or services Logistics and distribution HR services Sales and marketing, including third-party distribution channels Innovation, research and development Procurement Customer call centers Finance and accounting 16% 15% Percentage of companies that outsource this function % Percentage of companies that outsource it to a significant extent Source: PricewaterhouseCoopers Global Outsourcing Survey 35% 33% 27% 25% 24% 20% 32% 30% 39% 44% 41% 41% 53% 51% 50% 57% BCM is about making sure your organization is prepared to survive a catastrophic event that is either man-made or natural, either a onetime or longer-term event like a pandemic outbreak, or a significant disruption at a critical supplier. The fundamental nature of a robust BCM program remains based on four pillars: emergency response (safe evacuation of personnel); crisis management (command and control, communication, tactical recovery); disaster recovery (IT recovery, backup, and remote-access planning); and business continuity (recovering the operations of, at a minimum, the most critical business functions). What has changed in BCM is an appreciation of interconnected risks. The 2008 financial crisis revealed a major vulnerability; companies are increasingly reliant on one another. Hurricane Katrina taught us that lesson over four years ago. When it comes to disaster preparedness, interdependencies make a forceful case for a comprehensive solution rather than individual, fragmented remedies. This was PwC s approach in helping develop a blueprint for future healthcare delivery in Louisiana, and in helping organizations and communities in California to prepare for healthcare surge due to a catastrophic emergency. In both cases, PwC took a holistic view: what would it take to provide better preparation at the community level, not just at the first responder level, to keep organizations functioning and to protect as many lives as possible? Effective contingency planning tracks the dependencies in interconnected businesses. Take preparedness for H1N1. Under an effective plan, a business does the following: 1. Sets minimum thresholds that trigger reallocation of available staff resources to critical functions, as well as changes to services or functions. 2. Identifies other triggers such as reductions in productivity or revenue to activate a contingency plan. 3. Improves remote-access infrastructure. 4. Properly sets customer expectations about response time and reduced service capabilities. 5. Understands how external service providers are prepared to meet their service-level commitments in the event of a pandemic.

4 02 Addressing emerging risks in IT One of the cornerstones of the IT evolution involves companies ceding some of their direct control over IT operations. By now, many organizations have consolidated data centers, shifting key applications and data storage from the desktop along the way. Others have outsourced those operations. What companies do share is an increasing reliance on enterprise systems and network technologies. Any disruption to these systems can in some cases be catastrophic for a business as well as its partners. When the bulk of a company s workforce no longer has experience with off-line, work-around solutions, as is increasingly the case, and the technology managed by an external service gets disrupted, the result is a perfect storm. IT-related business practices now considered part of BCM: The untethered employee: The advent of flexible working environments as well as the wireless laptop and the BlackBerry has freed many employees from the office. Wireless applications, as a result, are handling core functions like order placement. Were the wireless equipment and applications designed to function without network connectivity for extended periods of time? Can a company still meet minimum levels of customer service without network connectivity? Outsourced data centers: While service-level agreements include a certain amount of resiliency and reliability, some clauses may not sufficiently cover a company s data needs during a major disruption. When another firm is running your data center, it s possible your data is moving to yet another center, based on utilization rates. The firm may have outsourced the operations of the data center or the help desk to another service organization. A full understanding of the service chain created by IT outsourcing helps companies consider different arrangements they may need to make. Real-time response rates: Much of corporate investment in IT has involved automation that shields the user from back-office complexity. If these functions are also outsourced, the possible complications should be understood and, where deemed critical, mitigated.

5 03 Emerging BCM standards Most global organizations have disaster recovery plans in place. But the quality varies widely a condition that has not gone unnoticed by officials charged with safeguarding the US economy in the event of a disaster. Across industries, we find BCM programs that are limited to data backup and storage methods, with no real plans for backup assets and facilities. Then there are BCM programs with no provisions for facilities and technology in the form of dedicated or shared hot sites. In the US, nearly 85% of the critical infrastructure such as transportation, banking, and utilities is owned by the private sector. Damage to that infrastructure presents a systemic threat to the US and, in particular, to the economy. Out of this concern, the US government is setting cross-industry guidelines. The program, known as the Voluntary Private Sector Preparedness Accreditation and Certification Program, or PS-Prep, remains in formation; we expect the process to complete in It is our belief that the process, while not mandatory, will set leading practices in BCM and as a result, further drive standardization. This may prompt some organizations to undergo the certification process as a competitive advantage. 1 Potential for reduced insurance premiums A thorough assessment by the BCM program leader and an insurance adviser of an organization s preparedness for the potential impacts of an interruption can help determine the right amount of coverage, potentially reducing business-interruptioninsurance premiums. Increased supply chain/service chain reliability A company s reliability can be an advantage when competing for business or meeting contractual obligations. Decreased legal liability Increased preparedness may mitigate certain litigation risks. Benchmarking BCM programs can be compared and monitored by using certification criteria. 1 PricewaterhouseCoopers, Point of view: The Voluntary Private Sector Preparedness Accreditation and Certification Program, October 20, private-sector-preparedness-program.jhtml.

6 04 Risk-based approach to disaster preparedness BCM programs should be updated and tested regularly, reflecting the pace and scale of change that companies are now undertaking Q: Which of the following changes, if any, has your organization implemented in the past three years? (Base: All respondents, 1,150) New business strategies 80% Implementation of new business processes Implementation of new technology Major quality improvement programs Major cost reduction programs Reorganization of major functions Mergers and acquisitions or joint ventures/strategic alliances Implementation of new business models Outsourcing of major business functions Other None of the above 3% 1% 28% Source: PricewaterhouseCoopers 11th Annual Global CEO Survey 65% 64% 63% 61% 60% 72% 71% % A well-structured resiliency program takes a risk-based approach to business continuity. It reflects the complexity of today s business environment and is broadened to counter vulnerabilities stemming from compliance, volatile economic conditions, and reputational risk. The range of expectations on BCM dictates that risk and business managers should unite with IT departments in determining what s critical to protect during an internal or external disruption. A company s supply chain deserves special attention in business continuity management. For example, it is critical for businesses to understand their supply chain s sensitivity to internal and vendor staff reductions in the event of a disaster. Who are your vendors key vendors, and what risks does an interruption in their businesses pose to yours? Do you document and test coordinated contingency planning with outsourcing providers that operate key functions? Have you identified alternate outsourcing providers if the primary provider s contingency planning is less mature? Do your service-level agreements with vendors ensure that your service needs will be met? Do you understand how your needs will be triaged relative to other clients of the service provider? Should higher stock levels be maintained for certain commodities that are difficult to acquire? In reviewing continuity-planning preparedness, business managers should consider these issues: 2 Does our existing BCM program adequately address our exposures? Does it address long-term resiliency as well as short-term survival? Does our BCM program encompass outsourced IT/business processes, our facilities, and key third parties? Has IT made correct assumptions on what to cover on behalf of the business? Has IT overly designed recovery capabilities or invested in the right places? Would certification enable us to lower our premium for business insurance? 2 For more on how companies are integrating risk and performance management, see 10Minutes on Managing Risk and Performance, May 27, en/10minutes/managing-risk-performance.jhtml.

7 Upcoming 10Minutes topics Creating more value from HR The link between effectively deployed talent and business results was never more apparent than during the financial crisis, as strong leadership by key decision makers enabled many firms to perform better than their competitors. 10Minutes discusses how companies can better align their human resources model to the strategic goals of the business in four key areas: brand, corporate vision, financial performance, and employee performance measurement. Executive compensation After nearly two decades, the pay-forperformance model is being revisited, as regulators and Congress aim to better align corporate compensation structures with risk considerations and sustainable performance. 10Minutes looks at how proposed rule making and legislation are likely to change not only compensation programs but also how companies define performance.

8 How PwC can help To have a deeper discussion about business continuity in an interconnected world, please contact: Robert Moritz US Chairman and Senior Partner PricewaterhouseCoopers LLP Phone: robert.moritz@us.pwc.com Phil Samson US Business Continuity Management Leader PricewaterhouseCoopers LLP Phone: phil.samson@us.pwc.com Tell us how you like 10Minutes and what topics you would like to hear more about. Just send an to: 10Minutes@us.pwc.com This publication is printed on Cougar recycled paper. It is a Forest Stewardship Council (FSC) certified stock using 10% post-consumer waste (PCW) fiber and manufactured in a way that supports the long-term health and sustainability of our forests PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. *connectedthinking and 10Minutes are both trademarks of PricewaterhouseCoopers LLP (US). NY