National Fire Protection Association s Contribution to Business Continuity Strategies

Transcription

1 National Fire Protection Association s Contribution to Business Continuity Strategies

2 about me 1. Retired AVP Senior Business Risk Consultant 2. FM Global Trained: Years Service 2. Founder Member of the Business Risk Consulting Group (BRCG) for FM Global. 3. Senior Account Engineer with Arkwright International/FM Global 4. Field Engineer/Account Engineer with Factory Mutual International (FMI) 3. Industrial Experience 1. Servicing FM Global s Corporate Clients from Account Engineering & BRCG responsibilities. 2. Conducted Business Impact Analysis (BIA) for pharmaceutical, mining, manufacturing, media, financial services, defence, medical, chemical, power generation industries. 3. Quantified financial risks for company s internal & external global supply chains 4. Contributed to Business Continuity training programmes & seminars 5. Reviewed Business Continuity Plans for FM Global clients 4. Professionally Qualified to Masters Degree Level 1. Member Chartered Management Institute (MCMI) 2. Chartered Chemical Engineer (CEng) 3. Fellow Institution of Chemical Engineers (FIChemE) 4. Certified Business Continuity Practitioner (CBCP) DRII (Member Lapsed) 5. Affiliate Member of Business Continuity Institute (BCI) (Current) 2

3 the introduction Business Continuity Management Survey of 1,021 Managers from the Chartered Management Institute

4 the introduction Business Continuity Management Survey Chartered Management Institute % Managers Anticipating Specific Causes of Disruption Loss of IT Loss of Telecommunications Loss of Access to Site Loss of Skills Loss of People Fire Loss of Electricity/Gas Damage to Corporate image/brand/reputation Terrorist Damage Extreme Weather (Flood/Winds) Negative publicity/coverage Malicious Cyber Attack Loss of water/sewerage Employee health and safety incident Transport disruption Supply Chain disruption Environmental incident Customer health/product safety incident Industrial action Pressure group protest School/childcare closures 0% 10% 20% 30% 40% 50% 60% 70% 80% 4

5 the introduction Business Continuity Management Survey Chartered Management Institute % Managers Actual Specific Causes of Disruption Loss of IT Loss of Telecommunications Loss of Access to Site Loss of People Loss of Skills Fire Loss of Electricity/Gas Damage to Corporate image/brand/reputation Terrorist Damage Extreme Weather (Flood/Winds) Negative publicity/coverage Malicious Cyber Attack Loss of water/sewerage Employee health and safety incident Transport disruption Supply Chain disruption Environmental incident Customer health/product safety incident Industrial action Pressure group protest School/childcare closures 0% 10% 20% 30% 40% 50% 60% 70% 80% 5

6 the introduction Business Continuity Management Survey Chartered Management Institute Loss of IT Loss of Telecommunications Loss of Access to Site Loss of Skills Loss of People Fire Loss of Electricity/Gas Damage to Corporate image/brand/reputation Terrorist Damage Extreme Weather (Flood/Winds) Negative publicity/coverage Malicious Cyber Attack Loss of water/sewerage Employee health and safety incident Transport disruption Supply Chain disruption Environmental incident Customer health/product safety incident Industrial action Pressure group protest School/childcare closures Anticipated Actual 0% 10% 20% 30% 40% 50% 60% 70% 80% 6

7 the introduction 12 month record of, number and impact by cause of disruptive incidents ( ) 7

8 the introduction % of Organisations with Business Continuity Plans

9 the introduction Summary of Key Findings: 1. The actual cause of a major disruption cannot be reliably predicted at any one time, hence the adopted measures of likelihood and/or probability of occurrence. 2. The meaning of a major impact to a business has different significance, depending on who is asked. 3. The gradual increase in Business Continuity Plans is primarily being attributed to corporate governance, legislation/regulation and customer demands. 9

10 my objectives 1. To briefly summarise the origins of the NFPA business continuity standard and to review the approach as a concept for business survival. 2. To outline a bespoke Business Impact Analysis (BIA) which can align Business Continuity activity with the entity s business requirements. 3. To explore where NFPA s fire protection and business continuity activities could contribute to the continuity strategies for a company s overall Business Continuity Management Systems (BCMS) programme. 10

11 my objectives What this presentation is NOT: 1. A debate on all Business Continuity standards. 2. A discussion on risk probabilities. 3. A detailed financial analysis of a company 4. A preparation of a Business Continuity Plan. 5. A worst-case scenario study of an incident in a particular industry 6. A full list of Business Continuity definitions. 7. A complete description of what is required for a Business Continuity Management System (BCMS), or the BCM Life-Cycle 8. A review of Emergency Management/Disaster Recovery systems 11

12 the agenda 1. Business Continuity s Development a. the origins 2. Bespoke Business Impact Analysis a. the concept b. the activity c. the analysis d. the benefits 3. Business Continuity Strategies a. the summary b. the conclusion 12

13 the origins NFPA s Contribution to Fire Protection, Health and Safety Established in 1896, NFPA develops, publishes, and disseminates more than 300 consensus codes and standards that are designed to minimize the risk and effects of fire by establishing criteria for building, processing, design, service, and installation in the United States, as well as many other countries. Virtually every building, process, service, design, and installation in society today is affected by NFPA documents. Codes and Standards Numbered: NFPA 1 thru NFPA

14 the origins NFPA s Contribution to Fire Protection, Health and Safety Timeline Status 1995 NFPA 1600 issued as first standard on disaster/emergency response 2000 Updated to include Total Programme Approach 2004 Updated terminology and reformatted text 2007 Expanded conceptual framework for disaster/emergency management & Business Continuity programmes. Prevention, risk management, security, loss prevention 2010 Reordered & expanded Programme Management. Addressed planning, implementation, testing & exercising, programme improvement Required Business Impact Analysis 2013 Wide array of changes. Alignment with CSA Z1600 & DRII Professional Practices 14

15 the origins Purpose NFPA 1600 Application Business Continuity adoption: Primary Focus: Primary objective: Strategic Objectives based on: Overall Outcome Predominant standard for US & Department of Homeland Security. (DHS). Used in Europe, Latin America, Asia, Chile, China, Colombia, Ecuador, Korea, Thailand T&T. Mid-size to large public not for profit and private sector organisations High level standard defining the essential elements of an emergency management and business continuity program. Prevention & mitigation of vulnerabilities to people, property, environment, business enterprise. Programme constraints, operational experience and cost benefit analysis from detailed analysis of all threats, hazards & causes. Procedures for documenting responses primarily according to laws and regulations. 15

16 the origins NFPA/DRII Definitions Disaster/Emergency Management. An ongoing process to prevent, mitigate, prepare for, respond to, maintain continuity during, and recover from an incident that threatens life, property, operations, or the environment. Business Continuity. An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services. Disaster/Emergency Management & Business Continuity Auditor Training

17 the origins NFPA 1600 IS A BCM STANDARD 1. emphasising programme policies and management components, provides guidelines that address the analysis, planning and implementation of the core elements of crisis management, business resumption planning and IT disaster recovery to manage the impact of disasters. 2. legal compliant but less concerned with the business requirements of the entity 17

18 the origins NFPA 1600 IS A BCM STANDARD 1. emphasising programme policies and management components, provides guidelines that address the analysis, planning and implementation of the core elements of crisis management, business resumption planning and IT disaster recovery to manage the impact of disasters. 2. legal compliant but less concerned with the business requirements of the entity 18

19 the origins Business Impact Analysis. A management level analysis that identifies, quantifies, and qualifies the impacts resulting from interruptions or disruptions of an entity s resources. The analysis may identify time-critical functions, recovery priorities, dependencies, and interdependencies so that recovery time objectives can be established and approved. NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2013 Edition

20 the origins The BIA shall evaluate the potential impact resulting from interruption or disruption of individual functions, processes, and applications * The BIA shall identify those functions, processes, infrastructure, systems, and applications that are critical to the entity and the point in time [recovery time objective (RTO)] when the impact of the interruption or disruption becomes unacceptable to the entity The BIA shall identify dependencies and interdependencies across functions, processes, and applications to determine the potential for compounding impact in the event of an interruption or disruption * The BIA shall evaluate the potential loss of information and the point in time [recovery point objective (RPO)] that defines the potential gap between the last backup of information and the time of the interruption or disruption * The BIA shall be used in the development of recovery strategies and plans to support the program. NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2013 Edition

21 the origins NFPA 1600 States the BIA should include 3 main components: 1. Identify the lines of process flow (i.e., material flow, information flow, people movement, cash flow) and time constraints. 2. Identify the interruption potentials that describe the financial, regulatory, customer, or operational impacts. 3. Identify the entity s dependency on technology infrastructure. NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2013 Edition

22 the origins Typical observations from my review of Business Continuity Plans:- 1. Plans lacked strategic direction from a Senior Management Business Continuity Policy. 2. Plans had no documented ownership, or demonstrated practical support, by appointed Senior Management at Board Level 3. Plans not aligned with business requirements: a. lacked business objectives, b. omitted customer requirements, c. ignored market demands to maintain a key customer base, d. omitted actions to assure delivery of products and/or services. 4. Plans predominantly based on worst-case scenarios identified from specific causes of disruption and estimated time required to repair damage and restore operations to normal levels. 5. Plans contained far too much detail and appeared onerous to maintain current. 22

23 the agenda the origins the concept the activity the analysis the benefits the summary the conclusion 23

24 the concept Business Continuity Survey Question 1. How will we do business if our critical systems are rendered inoperable? 2. How can we resume operations quickly following a business disruption? 3. Are there any particular vulnerable aspects to our business that we can eliminate as opposed to harden? 4. What are the pieces of business that are so critical that a major investment in hardening or redundancy would be justified? 5. Despite taking proper precautions are we still vulnerable to disruption due to outmoded infrastructure in the region? What the Questions should have Asked How can we maintain delivery of our products/services to achieve survival income? Within what time do we need to recover critical operations to achieve survival income? What strategy is required to reduce our dependency on internal and external critical activities? Which products/services must we deliver to key customers to maintain survival income during recovery of operations????? What is wrong with these questions? 24

25 the concept Business Continuity Survey Question 1. How will we do business if our critical systems are rendered inoperable? 2. How can we resume operations quickly following a business disruption? 3. Are there any particular vulnerable aspects to our business that we can eliminate as opposed to harden? 4. What are the pieces of business that are so critical that a major investment in hardening or redundancy would be justified? 5. Despite taking proper precautions are we still vulnerable to disruption due to outmoded infrastructure in the region? What the Questions should have Asked How can we maintain delivery of our products/services to achieve survival income? Within what time do we need to recover critical operations to achieve survival income? What strategy is required to reduce our dependency on internal and external critical activities? Which products/services must we deliver to key customers to maintain survival income during recovery of operations????? 25

26 the concept BUSINESS SURVIVAL IS PRIMARILY ABOUT MANAGING CASHFLOWS: 1. Maintaining optimum cash-flows over time during periods of: unplanned disruption to normal operations recovery to product/services delivery as usual 2. Ensuring future growth in income by: supporting present & future customers development of future key markets reflecting changes to the business environment complying with legislation and regulation

27 the concept MANAGEMENT MUST BE PRO-ACTIVE IN MANAGING CASHFLOWS: Management need to establish business continuity objectives that must be achieved over time to maintain sufficient cash flows for the business in the event of any disruption, approve appropriate Business Continuity strategies to achieve the objectives 27

28 the concept TIME IS MONEY!! 28

29 Service Capacity (Cashflow) the concept 100% Normal level of operation Maximum Acceptable Outage (MAO) Minimum level of operation for business survival 0% Business Continuity Strategy Objective Unplanned operational disruption & restoration Incident Response Plan Disaster Recovery Plan Business Continuity Plan (BCP) Time Decision to invoke BCP immediate short term Phase 1 short to medium term Phase 2 medium to long term Phase 3 Increasing size of incident 29

30 the concept Management pre-determines what needs to be managed right to achieve the objectives 30

31 the concept Causes of Physical Disruption Natural Catastrophes Pre-Disruption Mitigating BC Strategies Earthquake Enhanced structural design standards Tsunami Height of tidal levees at susceptible locations Flood Maintenance, dredging, adequate flood walls, barriers Windstorm, hurricanes, tornados Operational Failure Secure buildings & structures to National Standards Adjust ground level gradients, add drainage Loss of Equipment Alternate providers and/or shared resources Mechanical breakdown Regular maintenance, spare parts policy, duplication Property damage Fire sprinklers, water supply, fire walls, non-combustible construction, fixed extinguishers, hazard reduction Construction collapse Building design codes 31

32 the concept Causes of Non-Physical Disruption Reduced Product Sales Pre-Disruption Business BC Strategies supplier solvency product substitution, replacement, duplication, dual sourcing increased market competition discount options, target specific markets end of product life-cycle product mix, product churn, new product development out-dated business model Operational Failure expand distribution channels (national vs international), implement internet access, next day delivery. obsolete equipment phased replacement & updating, standardisation loss of key peoples skills succession planning poor management practises management team skills, Merger & Acquisition (M&A), takeover regulation/legal violation implement sound relationships with governing authorities 32

33 the concept Consequences of Disruption Loss of productivity Customer complaints received Increased cost of working Service outcome impaired Loss of revenue Damage to brand/reputation/image Product release delay Product recall/withdrawal Payment of service credits Share price fall Stakeholder/shareholder concern Delayed cash flows Expected increase in regulatory scrutiny Loss of regular customers Fine by regulator for non-compliance Cost of Largest Single Disruption in Supply Chain Total Cost Greater than 1mill 500,000-1mill 250, ,000 50, ,000 < 50,000 % Survey Respondents 9% 9% 19% 5% 59% BCI Supply Chain Survey

34 the concept Stage 1: Understand the Business Management establish strategic business continuity objectives Agree minimum cash-flow required for survival. Identify key markets and customers essential to the business. Establish the Maximum Acceptable Outage (MAO) for key products and/or service deliverables. Stage 2: Develop Strategies for Survival Management approve measures for resilience. Management approve strategies for continuity. Stage 3: Implement the Strategies Protect physical assets for internal & external resources. Enhance resilience of internal & external supply chains for key deliverables, as required. 34

35 the agenda the origins the concept the activity the analysis the benefits the summary the conclusion 35

36 the activity Sample interdependency flow diagram for Corporate products & services 36

37 the activity Sample Structure for a Company s Product/Services Niche Products Premium Products Commodity Products Product Categories Product Branding Markets Served Consumer Profiles 37

38 the activity MISSION CRITICAL ACTIVITIES (MCA) S U P P L I E R S Inbound Logistics Firm Infrastructure Assets & Resources Management Philosophy Information Technology & Communications Business Continuity Management Manufacturing or Processing Operations Finished Good or Process Control Outbound Logistics Marketing Sales & Service Profit C U S T O M E R S 38

39 the activity Understanding the Business Marketing Finance Operations Suppliers & Purchasing IT/IS/ICT Business Continuity & Disaster Recovery Management Activity Focus Sales, Sales Recovery & Customer Profiles Sales/Insurable Gross Profit/Business Income Activity dependency on income stream at each location Key product service dependency Dependency on information/data for delivery Status and relevance for business needs. 39

40 the agenda the origins the concept the activity the analysis the benefits the summary the conclusion 40

41 the analysis Sample Financial Dependency Matrix For 12 Months Trading 41

42 the analysis Market Recovery Profile Assumed Period of Disruption 3 months 6 months 9 months 12 months 15 months 18 months 21 months 24 months Percentage of the product revenue anticipated in each year following restoration of supply, as a percentage of the revenue in the year prior to the disruption. Year 1 Year 2 Year 3 42

43 Cash-flow Impact (% Annual Income) the analysis Impact vs Time Recovery Profile for Strategic Income Streams 200% 180% Worst case unmitigated impact 160% 140% 120% 100% 80% 60% 40% 20% 0% Business Continuity Strategic Objective mitigated impact 50% 65% 83% 100% 75% 50% 25% Business Continuity 3 6 Strategies 9 12 Months of Disruption Production Impact Market Impact 43

44 the agenda the origins the concept the activity the analysis the benefits the summary the conclusion 44

45 1. Understand the Business & Establish Continuity Objectives The Business Impact Analysis establishes bases for key continuity objectives: Product delivery criteria (MAO) for strategic market & income streams, Identifies critical dependencies through internal and external supply chains Identifies Mission Critical Activities (MCA) for resources, activities and processes, Quantifies the financial dependency on internal & external resources & suppliers 2. Continuity Strategies the benefits Pre-plan strategies required to achieve continuity objectives: Know what options are required to achieve optimum cash-flow Identifies What needs to be managed right to achieve objectives Protects key physical property assets from physical damage Reviews options to enhance resilience of critical activities and key suppliers 45

46 the benefits 1. Costs for Business Continuity Strategies are spent where there is added value: Enhances the business of the company through improved resilience Improves & enhances alignment with normal business requirements Protects critically dependent physical assets within the supply chains Achieves minimum cash-flow for the business, whatever the cause of the disruption may be. Costs incurred can enhance normal business practise. 2. Integrating Business Continuity Management Systems supports Management: Improves product and/or service delivery to the company s customer Reduces costs of business continuity Provides competitive advantage for the business from demonstrating added resilience. 46

47 the agenda the origins the concept the activity the analysis the benefits the summary the conclusion 47

48 the summary How can NFPA make a contribution to Business Continuity Strategies? NFPA 1600 & 13 Codes & Standards provide a consistent quality standard for a company to achieve strategic Business Continuity objectives. NFPA 1600 contributes to Business Continuity strategies by advising on: 1. What information should be gathered in a BIA to establish strategic objectives. 2. Guidance for management to assess what strategies should be implemented to achieve the strategic objectives. NFPA 13 contributes to Business Continuity strategies by: 1. Providing a quality standard for the implementation of physical protection where required as a solution for identified Business Continuity strategies. 48

49 the agenda the origins the concept the activity the analysis the benefits the summary the conclusion 49

50 the conclusion The National Fire Protection Association s Business Continuity activities and expertise directly support a company s business continuity strategies through: a) The specification of the content requirements of a Business Impact Analysis in NFPA b) Offering qualified expertise and quality products and services through NFPA 13 where the protection of physical assets is deemed a solution to a continuity strategy. 50

51 the conclusion I have: 1. Summarised findings from a Business Continuity survey 2. Briefly explored the origins of the NFPA s Business Continuity Standard and appropriateness as a concept for business survival 3. Described a BIA process which can help establish business continuity strategic priorities and objectives that will enhance the delivery of the entity s products and services as an aid to business survival. 4. Identified where NFPA s core competences in the development of specific Codes and Standards can be applied to support an entity s business continuity strategies 51

52 one final thought Causes of Business Disruption Reduced Product Sales Sample Cash-flow BC Strategies supplier solvency product substitution, replacement, duplication, dual sourcing increased market competition discount options, target specific markets end of product life-cycle product mix, product churn, new product development out-dated business model Operational Failure expand distribution channels (national vs international), implement internet access, next day delivery. obsolete equipment phased replacement & updating, loss of key peoples skills succession planning poor management practises management team skills, Merger & Acquisition (M&A), takeover regulation/legal violation implement sound relationships with governing authorities 52

53 one final thought Causes of Business Disruption Reduced Product Sales Sample Cash-flow BC Strategies supplier solvency product substitution, replacement, duplication, dual sourcing increased market competition discount options, target specific markets end of product life-cycle product mix, product churn, new product development out-dated business model Operational Failure expand distribution channels (national vs international), implement internet access, next day delivery. obsolete equipment phased replacement & updating, loss of key peoples skills succession planning poor management practises management team skills, Merger & Acquisition (M&A), takeover regulation/legal violation implement sound relationships with governing authorities 53

54 Thank You for Listening