Medtronic - Production Machining
Focusing and Measuring Your Continuity Efforts to Improve Resiliency Tanya Raso Director, Corporate Risk & Business Continuity
1
April 12-14, 2010 Sheraton New Orleans
Medtronic: Driven By Our Mission The world leader in medical technology Focus on treating chronic disease Every 5 seconds, someone in the world benefits from Medtronic technology
2
April 12-14, 2010 Sheraton New Orleans
Our Products Treat Many Chronic Conditions Neurological Disorders
Cardiac Rhythm Disorders
Ear, Nose and Throat Conditions
Cardiovascular Disease
Spinal Conditions and Musculoskeletal Trauma
Urological and Digestive Disorders
Diabetes
3
April 12-14, 2010 Sheraton New Orleans
1
A Large International Organization $14.6 Billion Revenues 38,000 Employees 120 Countries 270 Locations 44 Manufacturing Sites 25 R&D Centers 22 Training Facilities
April 12-14, 2010 Sheraton New Orleans
4
Complex & Highly-Regulated Operations
April 12-14, 2010 Sheraton New Orleans
5
Our BCM Vision: Create a Resilient Organization The BCM Best Practice Model* Leadership + Governance
Risk identification and impact analysis
Strategy + Policy
Risk mitigation, planning and preparation
People + Organization
Establish culture, exercise and maintain plans
Enterprise View
Operational View
Resources Key BCM process areas BCM structural enablers
*Model provided by PA Consulting.
6
April 12-14, 2010 Sheraton New Orleans
2
Our Road to Resilience 6. Embed BCM into Culture 5. Prioritize, Measure, & Report
4. Define Standards & Requirements
3. Pilot/Implement BCM Process Across Organization 2. Develop 6 Step BCM Process and Tools
1. Define BCM Vision and High-Level Policy
7
April 12-14, 2010 Sheraton New Orleans
The Problem? Trying to Boil the Ocean! So many sites!
How to focus & prioritize?
So many risks!
What are the key issues?
Tactical focus!
How to make BCM more strategic?
Not everybody “embracing” BCM!
How to drive compliance?
8
April 12-14, 2010 Sheraton New Orleans
The Solution? Focus, Measure, Report! 1. Conduct a Business Impact Analysis at the company level
What sites are most critical?
2. Develop BCM Standards & Scorecard
Are key sites resilient? What are the big issues?
3. Improve Management Reporting and Drive BCM “Strategies”
Are key exposures getting addressed?
9
April 12-14, 2010 Sheraton New Orleans
3
Conduct Company-Level BIA Purpose: Assess key locations according to criticality in order to quantify the potential impact of a business interruption and highlight where to focus our continuity and resilience efforts.
Scope: All manufacturing locations. Distribution centers with inventory exceeding $5 million. Customer service centers generating more than 5% of regional revenue. Key IT, R&D, and Administrative (HQ) locations.
10
April 12-14, 2010 Sheraton New Orleans
The BIA Process 1. Identify data criteria to evaluate sites 2. Gather and compile data 3. Determine how to “score” the data 4. Calculate each site’s overall criticality rating 5. Summarize the results by rating 6. Validate results with BU management
11
April 12-14, 2010 Sheraton New Orleans
Identify Data Criteria to Evaluate Sites DATA
RELEVANCE
All Locations # of Employees
Reflects size of operation; potential # of employees impacted by event or potentially displaced
Type of Operation
Certain operations have a more immediate impact
% of Company Revenue at Risk
Reflects % of company revenue at risk if operations are interrupted
% of Business Unit Revenue at Risk
Reflects % of BU revenue at risk if operations are interrupted
Operational Uniqueness
Reflects degree operations are unique to that site and the ability for another site (internal or external) to mitigate an interruption
Customer Service & Distribution Locations % of Regional Revenue at Risk
Reflects % of regional revenue at risk if operations are interrupted
Distribution Locations % of Inventory in DC vs. Field
Reflects % of inventory physically at risk in DC
$ Value of Inventory
Reflects value of inventory physically at risk in DC
12
April 12-14, 2010 Sheraton New Orleans
4
Gather Data – BU Template FY10 Business Impact Analysis (BIA) Business Unit: Business Unit A BU Site Overview Please ensure the list of sites is accurate and includes all sites for your BU. Then place an X in the appropriate cells for all activities that are performed at each site related to your Business Unit and provide the requested information. IT Operations
Number of Buildings at Site
Site
Manufacturing
Number of Operational Impact of Operational Overview Administrati Applications ve (BU HQ Locally Hosted Local Data Center (describe main Outage (select from operations (products) of or Shared (select from drop down) Service) drop down) site)
Site A
4
Product A & B Mfg
X
1-5
Local Site Only
X
Site B
2
X
>100
Enterprise Wide
X
16-100
Entire BU or Region
X
6-15
Multiple Sites
Site C
3
HQ, R&D Vertically integrated XYZ Source
Site D
2
Product C &D Mfg
Customer Distribution Service (Call (Direct to End Center) Customer)
R&D
Component Mfg
Operational Uniqueness
Describe any operational redundancy readily available at Assembly other sites (or externally) or if the Operations site is a sole supplier.
X
X
Sole supplier for Product A
Site A can be utilized if needed. X
X
Can be outsourced to Acme Supply
X
Can recover operations at Site A
Operational Uniqueness Rating (select from drop down) 4 - Sole source and difficult to replicate; NO redundancy exists 2 - Some redundancy exists OR sole source ops can be replicated or outsourced with relative ease 1 - Full redundancy exists OR can be immediately outsourced 3 - Minimal redundancy exists OR sole source ops can be replicated with moderate effort
BU Product Revenue Stream Analysis For each product category, please provide the requested information. See below for additional instructional notes. While historical revenues are referenced, please analyze the organization as it is or will be by end of FY10. The site percentages will be applied to updated revenue numbers as they become available. FY09 Revenues
Product Line/Category (1) Product A Product B Total Business A Product C Product D
(FY09 Actual at Actual FX) (in 000s)
Site A
Site C
25.0%
100%
100%
250,000
30.0%
100%
100%
100%
100%
0%
100%
100%
100%
10%
750,000 250,000
40.0%
350,000
45.0%
50,000
45.0%
Product E Total Business B Total Business Unit
% of Product Line Revenue at Risk if Site Operations were Interrupted (2) (Insert comment boxes as needed)
Average Gross Margin Percent
500,000
Site D
Average # of Weeks of FG Inventory in Distribution Centers (3)
OEM/CM
Europe and Canada
U.S. 2
0%
100%
650,000
0%
92%
44%
0%
1,400,000
54%
96%
20%
0%
Asia Pacific
3
Comments
2
4
3
2
4
6
5
3
2
2
3
3
3
0%
8% 0.0%
4%
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
13
Compile Data for All Sites FY10 Business Impact Analysis - Sorted by Region Location Profile
Business Impact Profile
SS A
City, State, Country City, State, Country
1 1
450 90
1 1
B
B C
CM
CM
FM FM
RD RD
FM FM FM
D RD
CS
D RD
23% 15% 29%
54% 0% 96%
4% 9% 3%
20%
15% 35% 17%
% of Total Inventory in DC
52%
(sole source/ redundancy capability/ ease of replication)
Description Description Description Description
9%
11% 0%
60%
Total FG Inventory Value Physically in DC's (in $ millions)
MS LS
CM
% of BU B Revenue at Risk
16-100 1-5
HQ HQ
CS
R&D
MS LS LS
% of BU A Revenue at Risk
LS EW RG
6-15 1-5 1-5
Distribution
1-5 >100 16-100
SS
% of Total Company Revenue at Risk
SS
A
Final Assembly / Mfg
HQ A
C C
Operational Uniqueness
Financial Impact % of Total Regional Revenue at Risk
1 2 1
Component Mfg
2 2 3
305 240 900
IT: No. of Apps Locally Hosted
C
1,700 190 700
2 2 1
Customer Srvc Call Center
B B B
4 2 3
City, State, Country City, State, Country City, State, Country
Admin/HQ
C SS A A A
City, State, Country City, State, Country City, State, Country
IT: Data Center Impact
Region B Site D Site E Site F Region C Site G Site H
Shared Service Center
Business Unit C
Region A Site A Site B Site C
Type of Operations
% of BU C Revenue at Risk
Businesses Served
# of BU's Corporate
# of EE's
Shared Service
# of Bldgs
Business Unit A
Location
Business Unit B
Facility Name
35% 23%
75%
25% 75%
77.0
Description Description
15% 48%
15.0
Description
0%
Description
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
14
Develop Scoring Criteria Business Impact Analysis Criticality Rating Criteria
Split According to Logical Distribution as well as Stakeholder View
Criticality Criteria ALL LOCATIONS # of Employees
4
3
2
1
> 1,500
750 - 1,499
250 - 749
< 250
Customer Service Component Mfg Level 4 Data Center
Distribution Finished Goods Mfg Level 3 Data Center Shared Service Center
R&D Level 2 Data Center
Admin Level 1 Data Center
> 20%
10 - 19%
5 - 9%
> 50%
25 - 49%
10 - 24%
Criticality Score
Type of Operation
% of Company Revenue % of BU Revenue Operational Uniqueness
Sole source and difficult Minimal redundancy exists OR Some redundancy exists OR sole to replicate; NO sole source ops can be replicated source ops can be replicated or outsourced with relative ease redundancy exists with moderate effort
< 5% < 10% Full redundancy exists OR can be immediately outsourced
CUSTOMER SERVICE & DISTRIBUTION CENTER LOCATIONS > 50% % of Regional Revenue
25 - 49%
10 - 24%
DISTRIBUTION CENTER LOCATIONS % of Total Inventory in DC vs in Field > 75%
50 - 74%
25 - 49%
< 25%
$25m - $75m
$10m - $25m
< $10m
$ LBM Value of Inventory
> $75m
< 10%
All scores were equally weighted, with the exception of % of Company Revenue, which was given twice as much weight.
15
April 12-14, 2010 Sheraton New Orleans
5
Score the Sites FY10 Business Impact Analysis - Sorted by Region Location Profile
Business Impact Profile
1 2 1
SS A
City, State, Country City, State, Country
1 1
450 90
1 1
B
B
SS
A
SS
HQ C HQ
1-5 LS >100 EW 16-100 RG 6-15 1-5 1-5
CM
16-100 MS 1-5 LS
CM
RD RD
FM FM FM
D RD
CS
D RD
23% 15% 29%
54% 0% 96%
4% 9% 3%
20%
11% 0%
15% 35% 17%
52%
% of Total Inventory in DC
60%
Total FG Inventory Value Physically in DC's (in $ millions)
% of BU B Revenue at Risk
R&D
Distribution
FM FM
% of BU A Revenue at Risk
CM
% of Total Company Revenue at Risk
CS
MS LS LS
Final Assembly / Mfg
IT: Data Center Impact
Admin/HQ HQ A
C C
Operational Uniqueness
Financial Impact % of BU C Revenue at Risk
2 2 3
305 240 900
Component Mfg
1,700 190 700
Customer Srvc Call Center
4 2 3 2 2 1
IT: No. of Apps Locally Hosted
C
City, State, Country City, State, Country City, State, Country City, State, Country City, State, Country City, State, Country
Shared Service Center
B B B
Shared Service
C SS A A A
Corporate Region A Site A Site B Site C Region B Site D Site E Site F Region C Site G Site H
Type of Operations
% of Total Regional Revenue at Risk
Businesses Served
# of # of EE's BU's
Business Unit A
# of Bldgs
Business Unit C
Location
Business Unit B
Facility Name
(sole source/ redundancy capability/ ease of replication)
Description Description Description Description
9%
35% 23%
75%
25% 75%
77.0
Description Description
15% 48%
15.0
0%
Description Description
Calculated Business Impact (Criticality) Rating
Strategic/ Subjective Factors
Rating Adjustment Based on Subjective Factors
Final Business Impact (Criticality) Rating
4.00 2.67 2.86
4.00 2.67 2.86
2.00 2.89 2.33
2.00 2.89 2.33
2.67 1.17
2.67 1.17
Expected Rating Change Over Next 12 Months
Subjective Factors
Objective Scoring
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
16
Summarize BIA Results Business Impact Analysis Site Summary by Business Impact (Criticality) Level
Criticality Level Critical >3 Site A
High 3 - 2.1
Medium 2 - 1.6
Site E Site C Site B Site G Site F
Low < 1.5
Site D
Site H
Example Results 15% of Sites
20% of Sites
40% of Sites
25% of Sites
All data is fictitious and is included for example purposes only.
17
April 12-14, 2010 Sheraton New Orleans
Validate Results with BU Management GATHER INPUT ON: Their view of criticality Current ops initiatives Future ops strategies
18
April 12-14, 2010 Sheraton New Orleans
6
BIA Results
Simplistic approach, yet delivered logical results
No big surprises, but quantification of impact was powerful
Easy buy-in about where continuity focus is needed
Viewed as valuable exercise; new way of assessing operations
Increased our credibility by demonstrating we “got” their business
Able to identify themes in data and analyze by organizational type
Identified concentration of operations as well as leverage opportunities across company (vs. typical BU view)
Analysis leveraged by other corporate groups
19
April 12-14, 2010 Sheraton New Orleans
Now Know Where to Focus, BUT ARE OUR KEY SITES RESILIENT? HOW DO WE KNOW WE’VE DONE ENOUGH?
20
April 12-14, 2010 Sheraton New Orleans
GOALS: Drive mgmt engagement Ensure full compliance Recognize progress Address problem areas
Achieve Resilience!
Standards Follow BCM Process Steps
Develop Formal Standards & Requirements
Review/modify requirements and points annually to influence areas of focus.
21
April 12-14, 2010 Sheraton New Orleans
7
Measure Performance Resilience! FY10 BCM Detailed Site Scorecard
4.00
4 Weeks
Site E
2.89
3-4 Weeks
Site D
2.00
4-6 Weeks
Site H
1.17
2 weeks
Site A
6 Weeks Identified through site business impact and risk assessment. Examples range from lack of backup or recovery options; equipment or 2 Weeks supplier dependencies; lack of redundant utility feeds; IT exposures; key people TBD dependencies, etc.
1 Week
7.3 Planning Gaps from Tests Addressed
7.2 Plans Meet RTO's
7.1 Plans in Place & Tested
6.3 Planning Gaps from Tests Addressed
6.2 Plans Meet RTO's
Std. 6: Business Std. 7: IT Disaster Continuity Plans Recovery Plans 6.1 Plans in Place & Tested
5.5 Emergency Action Plan in Place & Tested 5.6 Pandemic Crisis Mgmt Plan in Pace 5.7 Incident Reports Completed & Submitted
5.4 Crisis Mgmt Plans in Place & Tested
5.3 Crisis Commander Implemented
5.2 Notification System or Process in Place and Tested
Std. 5: Emergency and Crisis Management Practices 5.1 Satellite Phone in Place
4.2 Semi-annual Risk Reporting
Std. 4: Risk Mgmt 4.1 Continuous Risk Mitigation Progress
Std. 3: BIRA Completion 3.3 Risk Summary Signed-Off by Mgmt
Std. 2: BCM Scope Includes all Critical Business Processes
3.1 BIRA's Completed Annually 3.2 Risk Tracker Completed
(Key Exposures)
1.2 BCM Coordinator
Top 5 BCM Risks
1.1 Site Objective
Defined Recovery Time Objective
Business Impact (Criticality) Rating
Estimated Current Recovery Time Gap
Facility Name
Std. 1: Mgmt Support
Time to Recover
Location Profile
Overall FY 10 Goals/ Comments/ BCM Explanations Commitments Status
4
4
4
0
0
0
0
0
2
4
0
0
4
0
0
0
0
0
0
0
0
22
4
4
4
4
4
4
4
4
2
4
2
4
4
4
3.9
4
3
3
4
4
4
77.9
4
4
4
4
0
0
3
0
2
4
2
4
4
4
0
2
2
3
3
2
3
54
4
4
4
4
4
4
0
0
0
4
0
0
4
4
4
0
0
0
0
0
0
40
Self-Assessment “Checklist”
Identify Recovery Gaps Report Top Exposures
The Overall BCM Score based on % completion: > 85% complete 51% < score < 85% complete 31% < score < 50% complete < 31% complete
All data is fictitious and is included for example purposes only.
22
April 12-14, 2010 Sheraton New Orleans
Scorecard Results Formalized expectations; reduced confusion Helped articulate BCM gaps to local mgmt & gain support Self-assessment increased accountability Objective and auditable Improved communication between sites and corporate Effectively drives continuous improvement
Bottom Line – Increased Confidence in Efforts!
23
April 12-14, 2010 Sheraton New Orleans
Next Challenge: Drive Support from Top
CREATE RISK AWARENESS DRIVE ACTION AND ACCOUNTABILITY MAKE BCM STRATEGIC
24
April 12-14, 2010 Sheraton New Orleans
8
Improve Mgmt Reporting & Drive BCM “Strategies” LEVELS:
OBJECTIVES: Awareness/Signoff of Key Site Risks Drive Mitigation & Approve Investment Integrate into Operating Strategies
BU/Regional BU/Regional Mgmt Mgmt
Awareness/Signoff of Key Company Risks Develop Cross-Company Solutions Integrate into Cross-Company Strategies
Operations Operations Council Council
Review of Key BU Ops Projects
ExecMgmt Mgmt Exec
Awareness/Signoff of Key Company Risks Drive BU/Regional Accountability Approve Central Resources
BOD: Audit Audit BOD: Committee Committee
Awareness of Key Company Risks Drive Management Accountability
April 12-14, 2010 Sheraton New Orleans
25
Example BU BCM Scorecard Business Impact Site (BIA Rating)
Resilience
Operations Profile
# of BUs
# of EE’s
% of Co. Rev
% of BU Rev
Geo Risk
Overall BCM Score
Recovery Time Objective
Site A Location (4.0)
Product A, B and Z Mfg
2
1,700
23%
54%
4 weeks
6 weeks
Recovery Gap
No back up for Product A Need to define equipment contingency options for Line 4 IT DR gaps
Key Exposures
Site E Location (2.89)
Product X & Z Mfg Distribution
2
240
9%
9%
3-4 weeks
1 week
Single/sole source suppliers Improve energy/water backup options
Recommendations: 1. 2. 3. 4. 5.
Completion of XYZ project is critical; alternatives needed if delayed. Resolve BCP gaps at Site E (generator, suppliers). Ensure that IT backup/manual procedures exist for Site A. Standardize ops processes to increase backup capabilities (Site A & E). Develop continuity plans for Z mfg ops (Site A).
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
26
Example Overall BU BCM Strategy
Site A (54% BU Rev)
Site E
Product A Mfg
(9% BU Rev)
Product B Mfg
Product X Mfg Product Z Mfg Product Z Mfg Distribution
BCM Strategy Legend Backup Site
Recovery Plan
Outsource
Inventory
All data is fictitious and is included for example purposes only.
27
April 12-14, 2010 Sheraton New Orleans
9
Example Mgmt & Board Report Semi-annual reports provided for critical locations. Business Impact Type of Org
Mfg
Site
Sole-Sourced Operations
Geo Risk
Overall BCM Score
FY10 Goals
% of Co. Rev
Site A (Location)
2
23%
Product A Mfg
Develop high-level contingency strategy for Product A mfg operations.
FY10Q4
Site recovery times defined; risk assessments finalized by Q2.
Site E (Location)
2
9%
Product X Mfg Primary DC for region.
Complete BCP plans and implement backup power generator.
FY10Q2
Mitigation projects prioritized and funding approved.
Site G (Location)
1
11%
Sole customer service call center for region
Build call backup at XYZ region site; develop interim contingency.
FY10Q3
Interim solution being implemented; backup site option being evaluated.
DC
Customer Service
Resilience
# of BUs
FY10 Action Plan
Target Date
Current Status
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
28
Results of Reporting They “Get” BCM! Focused Data Speaks! We Have Their Attention and a Seat at the Table More Strategic View of Risk and Risk Thresholds Strong Management Commitment to Drive Action and Hold Businesses Accountable Now a “Given” that BCM Should be a Part of Operations Strategy Cross Business and Global Collaboration on Key Issues Request to Extend Process to Key Suppliers
WE’VE GOT A LONG WAY TO GO, BUT THE SHIP HAS BEEN TURNED!
29
April 12-14, 2010 Sheraton New Orleans
The Key to Resilience?
Focus! Measure! Report!
30
April 12-14, 2010 Sheraton New Orleans
10
DON’T BOIL THE OCEAN!!
FOCUS ON THE ICEBERGS! 31
April 12-14, 2010 Sheraton New Orleans
Questions and Discussion
32
April 12-14, 2010 Sheraton New Orleans
Contact Info
Tanya Raso Director, Corporate Risk and Business Continuity [email protected] 763-515-1009
33
April 12-14, 2010 Sheraton New Orleans
11
1
April 12-14, 2010 Sheraton New Orleans
Medtronic: Driven By Our Mission The world leader in medical technology Focus on treating chronic disease Every 5 seconds, someone in the world benefits from Medtronic technology
2
April 12-14, 2010 Sheraton New Orleans
Our Products Treat Many Chronic Conditions Neurological Disorders
Cardiac Rhythm Disorders
Ear, Nose and Throat Conditions
Cardiovascular Disease
Spinal Conditions and Musculoskeletal Trauma
Urological and Digestive Disorders
Diabetes
3
April 12-14, 2010 Sheraton New Orleans
1
A Large International Organization $14.6 Billion Revenues 38,000 Employees 120 Countries 270 Locations 44 Manufacturing Sites 25 R&D Centers 22 Training Facilities
April 12-14, 2010 Sheraton New Orleans
4
Complex & Highly-Regulated Operations
April 12-14, 2010 Sheraton New Orleans
5
Our BCM Vision: Create a Resilient Organization The BCM Best Practice Model* Leadership + Governance
Risk identification and impact analysis
Strategy + Policy
Risk mitigation, planning and preparation
People + Organization
Establish culture, exercise and maintain plans
Enterprise View
Operational View
Resources Key BCM process areas BCM structural enablers
*Model provided by PA Consulting.
6
April 12-14, 2010 Sheraton New Orleans
2
Our Road to Resilience 6. Embed BCM into Culture 5. Prioritize, Measure, & Report
4. Define Standards & Requirements
3. Pilot/Implement BCM Process Across Organization 2. Develop 6 Step BCM Process and Tools
1. Define BCM Vision and High-Level Policy
7
April 12-14, 2010 Sheraton New Orleans
The Problem? Trying to Boil the Ocean! So many sites!
How to focus & prioritize?
So many risks!
What are the key issues?
Tactical focus!
How to make BCM more strategic?
Not everybody “embracing” BCM!
How to drive compliance?
8
April 12-14, 2010 Sheraton New Orleans
The Solution? Focus, Measure, Report! 1. Conduct a Business Impact Analysis at the company level
What sites are most critical?
2. Develop BCM Standards & Scorecard
Are key sites resilient? What are the big issues?
3. Improve Management Reporting and Drive BCM “Strategies”
Are key exposures getting addressed?
9
April 12-14, 2010 Sheraton New Orleans
3
Conduct Company-Level BIA Purpose: Assess key locations according to criticality in order to quantify the potential impact of a business interruption and highlight where to focus our continuity and resilience efforts.
Scope: All manufacturing locations. Distribution centers with inventory exceeding $5 million. Customer service centers generating more than 5% of regional revenue. Key IT, R&D, and Administrative (HQ) locations.
10
April 12-14, 2010 Sheraton New Orleans
The BIA Process 1. Identify data criteria to evaluate sites 2. Gather and compile data 3. Determine how to “score” the data 4. Calculate each site’s overall criticality rating 5. Summarize the results by rating 6. Validate results with BU management
11
April 12-14, 2010 Sheraton New Orleans
Identify Data Criteria to Evaluate Sites DATA
RELEVANCE
All Locations # of Employees
Reflects size of operation; potential # of employees impacted by event or potentially displaced
Type of Operation
Certain operations have a more immediate impact
% of Company Revenue at Risk
Reflects % of company revenue at risk if operations are interrupted
% of Business Unit Revenue at Risk
Reflects % of BU revenue at risk if operations are interrupted
Operational Uniqueness
Reflects degree operations are unique to that site and the ability for another site (internal or external) to mitigate an interruption
Customer Service & Distribution Locations % of Regional Revenue at Risk
Reflects % of regional revenue at risk if operations are interrupted
Distribution Locations % of Inventory in DC vs. Field
Reflects % of inventory physically at risk in DC
$ Value of Inventory
Reflects value of inventory physically at risk in DC
12
April 12-14, 2010 Sheraton New Orleans
4
Gather Data – BU Template FY10 Business Impact Analysis (BIA) Business Unit: Business Unit A BU Site Overview Please ensure the list of sites is accurate and includes all sites for your BU. Then place an X in the appropriate cells for all activities that are performed at each site related to your Business Unit and provide the requested information. IT Operations
Number of Buildings at Site
Site
Manufacturing
Number of Operational Impact of Operational Overview Administrati Applications ve (BU HQ Locally Hosted Local Data Center (describe main Outage (select from operations (products) of or Shared (select from drop down) Service) drop down) site)
Site A
4
Product A & B Mfg
X
1-5
Local Site Only
X
Site B
2
X
>100
Enterprise Wide
X
16-100
Entire BU or Region
X
6-15
Multiple Sites
Site C
3
HQ, R&D Vertically integrated XYZ Source
Site D
2
Product C &D Mfg
Customer Distribution Service (Call (Direct to End Center) Customer)
R&D
Component Mfg
Operational Uniqueness
Describe any operational redundancy readily available at Assembly other sites (or externally) or if the Operations site is a sole supplier.
X
X
Sole supplier for Product A
Site A can be utilized if needed. X
X
Can be outsourced to Acme Supply
X
Can recover operations at Site A
Operational Uniqueness Rating (select from drop down) 4 - Sole source and difficult to replicate; NO redundancy exists 2 - Some redundancy exists OR sole source ops can be replicated or outsourced with relative ease 1 - Full redundancy exists OR can be immediately outsourced 3 - Minimal redundancy exists OR sole source ops can be replicated with moderate effort
BU Product Revenue Stream Analysis For each product category, please provide the requested information. See below for additional instructional notes. While historical revenues are referenced, please analyze the organization as it is or will be by end of FY10. The site percentages will be applied to updated revenue numbers as they become available. FY09 Revenues
Product Line/Category (1) Product A Product B Total Business A Product C Product D
(FY09 Actual at Actual FX) (in 000s)
Site A
Site C
25.0%
100%
100%
250,000
30.0%
100%
100%
100%
100%
0%
100%
100%
100%
10%
750,000 250,000
40.0%
350,000
45.0%
50,000
45.0%
Product E Total Business B Total Business Unit
% of Product Line Revenue at Risk if Site Operations were Interrupted (2) (Insert comment boxes as needed)
Average Gross Margin Percent
500,000
Site D
Average # of Weeks of FG Inventory in Distribution Centers (3)
OEM/CM
Europe and Canada
U.S. 2
0%
100%
650,000
0%
92%
44%
0%
1,400,000
54%
96%
20%
0%
Asia Pacific
3
Comments
2
4
3
2
4
6
5
3
2
2
3
3
3
0%
8% 0.0%
4%
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
13
Compile Data for All Sites FY10 Business Impact Analysis - Sorted by Region Location Profile
Business Impact Profile
SS A
City, State, Country City, State, Country
1 1
450 90
1 1
B
B C
CM
CM
FM FM
RD RD
FM FM FM
D RD
CS
D RD
23% 15% 29%
54% 0% 96%
4% 9% 3%
20%
15% 35% 17%
% of Total Inventory in DC
52%
(sole source/ redundancy capability/ ease of replication)
Description Description Description Description
9%
11% 0%
60%
Total FG Inventory Value Physically in DC's (in $ millions)
MS LS
CM
% of BU B Revenue at Risk
16-100 1-5
HQ HQ
CS
R&D
MS LS LS
% of BU A Revenue at Risk
LS EW RG
6-15 1-5 1-5
Distribution
1-5 >100 16-100
SS
% of Total Company Revenue at Risk
SS
A
Final Assembly / Mfg
HQ A
C C
Operational Uniqueness
Financial Impact % of Total Regional Revenue at Risk
1 2 1
Component Mfg
2 2 3
305 240 900
IT: No. of Apps Locally Hosted
C
1,700 190 700
2 2 1
Customer Srvc Call Center
B B B
4 2 3
City, State, Country City, State, Country City, State, Country
Admin/HQ
C SS A A A
City, State, Country City, State, Country City, State, Country
IT: Data Center Impact
Region B Site D Site E Site F Region C Site G Site H
Shared Service Center
Business Unit C
Region A Site A Site B Site C
Type of Operations
% of BU C Revenue at Risk
Businesses Served
# of BU's Corporate
# of EE's
Shared Service
# of Bldgs
Business Unit A
Location
Business Unit B
Facility Name
35% 23%
75%
25% 75%
77.0
Description Description
15% 48%
15.0
Description
0%
Description
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
14
Develop Scoring Criteria Business Impact Analysis Criticality Rating Criteria
Split According to Logical Distribution as well as Stakeholder View
Criticality Criteria ALL LOCATIONS # of Employees
4
3
2
1
> 1,500
750 - 1,499
250 - 749
< 250
Customer Service Component Mfg Level 4 Data Center
Distribution Finished Goods Mfg Level 3 Data Center Shared Service Center
R&D Level 2 Data Center
Admin Level 1 Data Center
> 20%
10 - 19%
5 - 9%
> 50%
25 - 49%
10 - 24%
Criticality Score
Type of Operation
% of Company Revenue % of BU Revenue Operational Uniqueness
Sole source and difficult Minimal redundancy exists OR Some redundancy exists OR sole to replicate; NO sole source ops can be replicated source ops can be replicated or outsourced with relative ease redundancy exists with moderate effort
< 5% < 10% Full redundancy exists OR can be immediately outsourced
CUSTOMER SERVICE & DISTRIBUTION CENTER LOCATIONS > 50% % of Regional Revenue
25 - 49%
10 - 24%
DISTRIBUTION CENTER LOCATIONS % of Total Inventory in DC vs in Field > 75%
50 - 74%
25 - 49%
< 25%
$25m - $75m
$10m - $25m
< $10m
$ LBM Value of Inventory
> $75m
< 10%
All scores were equally weighted, with the exception of % of Company Revenue, which was given twice as much weight.
15
April 12-14, 2010 Sheraton New Orleans
5
Score the Sites FY10 Business Impact Analysis - Sorted by Region Location Profile
Business Impact Profile
1 2 1
SS A
City, State, Country City, State, Country
1 1
450 90
1 1
B
B
SS
A
SS
HQ C HQ
1-5 LS >100 EW 16-100 RG 6-15 1-5 1-5
CM
16-100 MS 1-5 LS
CM
RD RD
FM FM FM
D RD
CS
D RD
23% 15% 29%
54% 0% 96%
4% 9% 3%
20%
11% 0%
15% 35% 17%
52%
% of Total Inventory in DC
60%
Total FG Inventory Value Physically in DC's (in $ millions)
% of BU B Revenue at Risk
R&D
Distribution
FM FM
% of BU A Revenue at Risk
CM
% of Total Company Revenue at Risk
CS
MS LS LS
Final Assembly / Mfg
IT: Data Center Impact
Admin/HQ HQ A
C C
Operational Uniqueness
Financial Impact % of BU C Revenue at Risk
2 2 3
305 240 900
Component Mfg
1,700 190 700
Customer Srvc Call Center
4 2 3 2 2 1
IT: No. of Apps Locally Hosted
C
City, State, Country City, State, Country City, State, Country City, State, Country City, State, Country City, State, Country
Shared Service Center
B B B
Shared Service
C SS A A A
Corporate Region A Site A Site B Site C Region B Site D Site E Site F Region C Site G Site H
Type of Operations
% of Total Regional Revenue at Risk
Businesses Served
# of # of EE's BU's
Business Unit A
# of Bldgs
Business Unit C
Location
Business Unit B
Facility Name
(sole source/ redundancy capability/ ease of replication)
Description Description Description Description
9%
35% 23%
75%
25% 75%
77.0
Description Description
15% 48%
15.0
0%
Description Description
Calculated Business Impact (Criticality) Rating
Strategic/ Subjective Factors
Rating Adjustment Based on Subjective Factors
Final Business Impact (Criticality) Rating
4.00 2.67 2.86
4.00 2.67 2.86
2.00 2.89 2.33
2.00 2.89 2.33
2.67 1.17
2.67 1.17
Expected Rating Change Over Next 12 Months
Subjective Factors
Objective Scoring
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
16
Summarize BIA Results Business Impact Analysis Site Summary by Business Impact (Criticality) Level
Criticality Level Critical >3 Site A
High 3 - 2.1
Medium 2 - 1.6
Site E Site C Site B Site G Site F
Low < 1.5
Site D
Site H
Example Results 15% of Sites
20% of Sites
40% of Sites
25% of Sites
All data is fictitious and is included for example purposes only.
17
April 12-14, 2010 Sheraton New Orleans
Validate Results with BU Management GATHER INPUT ON: Their view of criticality Current ops initiatives Future ops strategies
18
April 12-14, 2010 Sheraton New Orleans
6
BIA Results
Simplistic approach, yet delivered logical results
No big surprises, but quantification of impact was powerful
Easy buy-in about where continuity focus is needed
Viewed as valuable exercise; new way of assessing operations
Increased our credibility by demonstrating we “got” their business
Able to identify themes in data and analyze by organizational type
Identified concentration of operations as well as leverage opportunities across company (vs. typical BU view)
Analysis leveraged by other corporate groups
19
April 12-14, 2010 Sheraton New Orleans
Now Know Where to Focus, BUT ARE OUR KEY SITES RESILIENT? HOW DO WE KNOW WE’VE DONE ENOUGH?
20
April 12-14, 2010 Sheraton New Orleans
GOALS: Drive mgmt engagement Ensure full compliance Recognize progress Address problem areas
Achieve Resilience!
Standards Follow BCM Process Steps
Develop Formal Standards & Requirements
Review/modify requirements and points annually to influence areas of focus.
21
April 12-14, 2010 Sheraton New Orleans
7
Measure Performance Resilience! FY10 BCM Detailed Site Scorecard
4.00
4 Weeks
Site E
2.89
3-4 Weeks
Site D
2.00
4-6 Weeks
Site H
1.17
2 weeks
Site A
6 Weeks Identified through site business impact and risk assessment. Examples range from lack of backup or recovery options; equipment or 2 Weeks supplier dependencies; lack of redundant utility feeds; IT exposures; key people TBD dependencies, etc.
1 Week
7.3 Planning Gaps from Tests Addressed
7.2 Plans Meet RTO's
7.1 Plans in Place & Tested
6.3 Planning Gaps from Tests Addressed
6.2 Plans Meet RTO's
Std. 6: Business Std. 7: IT Disaster Continuity Plans Recovery Plans 6.1 Plans in Place & Tested
5.5 Emergency Action Plan in Place & Tested 5.6 Pandemic Crisis Mgmt Plan in Pace 5.7 Incident Reports Completed & Submitted
5.4 Crisis Mgmt Plans in Place & Tested
5.3 Crisis Commander Implemented
5.2 Notification System or Process in Place and Tested
Std. 5: Emergency and Crisis Management Practices 5.1 Satellite Phone in Place
4.2 Semi-annual Risk Reporting
Std. 4: Risk Mgmt 4.1 Continuous Risk Mitigation Progress
Std. 3: BIRA Completion 3.3 Risk Summary Signed-Off by Mgmt
Std. 2: BCM Scope Includes all Critical Business Processes
3.1 BIRA's Completed Annually 3.2 Risk Tracker Completed
(Key Exposures)
1.2 BCM Coordinator
Top 5 BCM Risks
1.1 Site Objective
Defined Recovery Time Objective
Business Impact (Criticality) Rating
Estimated Current Recovery Time Gap
Facility Name
Std. 1: Mgmt Support
Time to Recover
Location Profile
Overall FY 10 Goals/ Comments/ BCM Explanations Commitments Status
4
4
4
0
0
0
0
0
2
4
0
0
4
0
0
0
0
0
0
0
0
22
4
4
4
4
4
4
4
4
2
4
2
4
4
4
3.9
4
3
3
4
4
4
77.9
4
4
4
4
0
0
3
0
2
4
2
4
4
4
0
2
2
3
3
2
3
54
4
4
4
4
4
4
0
0
0
4
0
0
4
4
4
0
0
0
0
0
0
40
Self-Assessment “Checklist”
Identify Recovery Gaps Report Top Exposures
The Overall BCM Score based on % completion: > 85% complete 51% < score < 85% complete 31% < score < 50% complete < 31% complete
All data is fictitious and is included for example purposes only.
22
April 12-14, 2010 Sheraton New Orleans
Scorecard Results Formalized expectations; reduced confusion Helped articulate BCM gaps to local mgmt & gain support Self-assessment increased accountability Objective and auditable Improved communication between sites and corporate Effectively drives continuous improvement
Bottom Line – Increased Confidence in Efforts!
23
April 12-14, 2010 Sheraton New Orleans
Next Challenge: Drive Support from Top
CREATE RISK AWARENESS DRIVE ACTION AND ACCOUNTABILITY MAKE BCM STRATEGIC
24
April 12-14, 2010 Sheraton New Orleans
8
Improve Mgmt Reporting & Drive BCM “Strategies” LEVELS:
OBJECTIVES: Awareness/Signoff of Key Site Risks Drive Mitigation & Approve Investment Integrate into Operating Strategies
BU/Regional BU/Regional Mgmt Mgmt
Awareness/Signoff of Key Company Risks Develop Cross-Company Solutions Integrate into Cross-Company Strategies
Operations Operations Council Council
Review of Key BU Ops Projects
ExecMgmt Mgmt Exec
Awareness/Signoff of Key Company Risks Drive BU/Regional Accountability Approve Central Resources
BOD: Audit Audit BOD: Committee Committee
Awareness of Key Company Risks Drive Management Accountability
April 12-14, 2010 Sheraton New Orleans
25
Example BU BCM Scorecard Business Impact Site (BIA Rating)
Resilience
Operations Profile
# of BUs
# of EE’s
% of Co. Rev
% of BU Rev
Geo Risk
Overall BCM Score
Recovery Time Objective
Site A Location (4.0)
Product A, B and Z Mfg
2
1,700
23%
54%
4 weeks
6 weeks
Recovery Gap
No back up for Product A Need to define equipment contingency options for Line 4 IT DR gaps
Key Exposures
Site E Location (2.89)
Product X & Z Mfg Distribution
2
240
9%
9%
3-4 weeks
1 week
Single/sole source suppliers Improve energy/water backup options
Recommendations: 1. 2. 3. 4. 5.
Completion of XYZ project is critical; alternatives needed if delayed. Resolve BCP gaps at Site E (generator, suppliers). Ensure that IT backup/manual procedures exist for Site A. Standardize ops processes to increase backup capabilities (Site A & E). Develop continuity plans for Z mfg ops (Site A).
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
26
Example Overall BU BCM Strategy
Site A (54% BU Rev)
Site E
Product A Mfg
(9% BU Rev)
Product B Mfg
Product X Mfg Product Z Mfg Product Z Mfg Distribution
BCM Strategy Legend Backup Site
Recovery Plan
Outsource
Inventory
All data is fictitious and is included for example purposes only.
27
April 12-14, 2010 Sheraton New Orleans
9
Example Mgmt & Board Report Semi-annual reports provided for critical locations. Business Impact Type of Org
Mfg
Site
Sole-Sourced Operations
Geo Risk
Overall BCM Score
FY10 Goals
% of Co. Rev
Site A (Location)
2
23%
Product A Mfg
Develop high-level contingency strategy for Product A mfg operations.
FY10Q4
Site recovery times defined; risk assessments finalized by Q2.
Site E (Location)
2
9%
Product X Mfg Primary DC for region.
Complete BCP plans and implement backup power generator.
FY10Q2
Mitigation projects prioritized and funding approved.
Site G (Location)
1
11%
Sole customer service call center for region
Build call backup at XYZ region site; develop interim contingency.
FY10Q3
Interim solution being implemented; backup site option being evaluated.
DC
Customer Service
Resilience
# of BUs
FY10 Action Plan
Target Date
Current Status
All data is fictitious and is included for example purposes only.
April 12-14, 2010 Sheraton New Orleans
28
Results of Reporting They “Get” BCM! Focused Data Speaks! We Have Their Attention and a Seat at the Table More Strategic View of Risk and Risk Thresholds Strong Management Commitment to Drive Action and Hold Businesses Accountable Now a “Given” that BCM Should be a Part of Operations Strategy Cross Business and Global Collaboration on Key Issues Request to Extend Process to Key Suppliers
WE’VE GOT A LONG WAY TO GO, BUT THE SHIP HAS BEEN TURNED!
29
April 12-14, 2010 Sheraton New Orleans
The Key to Resilience?
Focus! Measure! Report!
30
April 12-14, 2010 Sheraton New Orleans
10
DON’T BOIL THE OCEAN!!
FOCUS ON THE ICEBERGS! 31
April 12-14, 2010 Sheraton New Orleans
Questions and Discussion
32
April 12-14, 2010 Sheraton New Orleans
Contact Info
Tanya Raso Director, Corporate Risk and Business Continuity [email protected] 763-515-1009
33
April 12-14, 2010 Sheraton New Orleans
11
