Effectively Communicating Enterprise-Wide Business Continuity to ...
Effectively Communicating
Enterprise-Wide Business Continuity to Senior Management and Stakeholders October 7, 2014
Agenda • Background • Program Elements
• What Makes it “Enterprise-wide” • Recommended Strategies
2
•
Established in 1896, Preferred Mutual Insurance
Company is headquartered in New Berlin, New York •
Provides property and casualty insurance coverage to individual and business customers through a network of independent agents throughout the Northeast
•
Rated "A" for excellent through A.M. Best
•
Please visit us at www.preferredmutual.com
•
Email questions to [email protected]
3
Where Do We Even Begin???
What do we do? Business
Catastrophe
Contingency Management
Crisis
Continuity
Disaster
Disruption
Planning Preparedness
Emergency Incident Risk
Interruption
Program Recovery Readiness Resilience
Technology (IT)
4
Let’s See What the Industry Has To Say Business Continuity: •
An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services. (NFPA 1600)
•
The strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level. (DRJ)
Business Continuity Management: •
Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and valuecreating activities. (ISO 22301)
•
The process that organizations use to ensure business continuity is maintained across their organization. (DRJ)
5
More Industry Terminologies Business Continuity Program: •
Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management. (ISO 22301)
Business Continuity Management Program: •
Ongoing management and governance process supported by top management and appropriately resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products and services through training, exercising, maintenance and review. (BCI)
6
Yes, Even More Industry Terminologies Disaster Recovery •
The technical aspect of business continuity. The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services. Disaster recovery includes subsequent resumption and restoration of those operations at a more permanent site. (DRJ)
Disaster/Emergency Management: •
An ongoing process to prevent, mitigate, prepare for, respond to, maintain continuity during, and recover from an incident that threatens life, property, operations, or the environment. (NFPA 1600)
•
A program that implements the mission, vision, strategic goals, objectives and management framework of the program and organization. (BCI)
7
And Now… a real ‘Monkey Wrench’ Enterprise Risk Management (ERM): •
ERM includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. (BCI and Wikipedia)
(Keep in mind, this has only been a sampling of terms used to help us understand what is Enterprise-Wide Business Continuity.)
8
1st Step… Bring Focus/Definition to the Program Business Continuity Management (BCM): •
Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience1 with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. (ISO 22301) 1 Resilience:
•
(1) the ability to become strong, healthy, or successful again after something bad happens (2) the ability of something to return to its original shape after it has been pulled, stretched, pressed, bent, etc. (Merriam-Webster.com)
• The adaptive capacity of an organization in a complex and changing environment. (ASIS) • DRII Editor’s Note: (a) Resilience is the ability of an organization to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event. (b) Resilience is the capability of a
system to maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must. (ASIS)
9
Use References: Leverage Industry Best-Practices •
DRI International (DRII) – Professional Practices
•
Business Continuity Institute (BCI) – Good Practices Guidelines
•
Industry Publications and White Papers (and even Conference Materials)
•
Vendors/Business Partners
10
Enterprise-wide is Thought-Shifting From This…
To This…
BC Plan Ownership
BCM (You)
Your Organization
Facilitation/Expertise
BC Plan Ownership
Your Organization
BCM (You)
Facilitation/Expertise
11
Requires Dept Heads becoming Plan Owners Incident Response (& Mgmt) Executive Team Liaison
CIRT
Corp Comm
Human Resources
Direct Customer-facing Areas
IT Operations
Site Services
Customer Service
Claims
Field Agency Marketing Financial Operations
Critical Infrastructure/Support
Internal Audit
Personal Lines
QA & Agency Interface
Commercial Lines
BCM Comm
IT Enterprise Applications
SBS Project Development
Gov’t Affairs
Actuarial
General Counsel Finance & Risk Mgmt
Other Depts/BU’s…
12
12
Enterprise-wide is also Approach-Shifting (Process-based vs Scenario-based plans) ① BU’s Identify Process Resource Requirements…
② Then common dept tasks…
③ And then broad scenarios…
Dept BC Plan PROCESSES
Applications / Software
Equipment
Supplies Tasks
Dept/BU Leadership Checklist - Account for Employees - Determine Critical Staffing needs - Report Status - Determine escalation/activation - (etc., etc….) Process Tasks
Procedures
Com. Devices
Vital Records
Employees
Agents and/or Customers Policyholders
Inclement Weather / Regional Disaster
_____________________ _____________________ _____________________ _____________________ _____________________
Process
-------------------------------------
Process
-------------------------------------
Process
-------------------------------------
_____________________ _____________________ _____________________ _____________________ _____________________
Process
-------------------------------------
Pandemic (Workforce Red)
Process
-------------------------------------
Teams
Suppliers Providers / and/or Vendors Vendors
Overlay with Company Strategic Responses
Building Outage
_____________________ _____________________ _____________________ _____________________ _____________________
Technology Outage
_____________________ _____________________ _____________________ _____________________ _____________________
13
13
Enterprise-wide Applications / Software
PROCESSES
•
• Tasks
PROCESSES
Equipment
Focus/Highlight BIA and Business Process Prioritization
Ensure the correct level of IT DR, given the ‘ultra-low
Supplies
Tasks
Teams
Applications / Software
Equipment
Supplies
Teams
tolerance for latency’ world in which we operate today Suppliers Providers / and/or Vendors Vendors
Procedures
Bridges Gaps
•
Agents and/or Customers Policyholders
Com. Devices
Procedures
•
Employees
Com. Suppliers Devices the business has the correct IT DR expectations Providers / Ensure and/or Vendors Vendors
•
Address Work Area Recovery/Continuity Employees
Vital Records
Vital Records
Keep Management involved and continuously updated Agents and/or Customers Policyholders
14
Requires Enterprise-Wide Incident Coordination CEO Strategic Oversight - SVP’s
Incident Commander (IC) Person “In-Charge” Named at T.O.D.
Facilitation by BCM
Site Services Infrastructure Co-Lead
SS Back-up #1
Back-up #2
Co-back-ups
- VP’s and Sr Directors Strategy
Executive Liaison
Team
Gen Counsel
IT Operations Infrastructure Co-Lead
Personal Lines P & I Co-Lead
Customer Service P & I Co-Lead
Corp Communications Logistics Co-Lead
Human Resources Logistics Co-Lead
IT Ent Applications IT Back-up #1
Claims P&I Back-up #1
QA & Agency Interface P&I Back-up #2
Corp Comm CC Back-up #1
HR HR Back-up #1
Financial Operations Finance Back-up #1
Field Agency Marketing
Gov’t Affairs
Corp Comm CC Back-up #2
HR HR Back-up #2
Actuarial Finance Back-up #2
IT Disaster Recovery IT Back-up #2
SBS Project Dev
Commercial Lines
Finance & Risk Mgt Finance Lead
Internal Audit
Legend:
= Command
= Infrastructure
= Logistics
= Planning & Intelligence
= Finance
15
Our Enterprise-Wide BCM Model (Design and Guidance)
Business Continuity Committee
Company/Infrastructure Readiness
(Making Ready)
(Should there be a need…)
• Employee Preparedness, Policies and Communications • Facilities Preparedness, Mitigation, Emergency Response and Security • IT Preparedness, Mitigation and IT Disaster Recovery
(Design and Guidance)
Department Business Continuity Plans • Plan Design and Development
• Training and Exercises • Each Department is responsible for its own BC Plan and Readiness
(Making Ready)
Incident Response (& Mgmt) • CIRT
(Corporate Incident Response Team) comprised of key stakeholders
− Centralized management of all incidents – including Catastrophes − Escalates/Communicates with Executive Leadership, as necessary
(Should there be a need…)
• Response Protocols for each Satellite Office
16 16
Then… Communicate BCM in Common Sense •
Business Continuity is the advanced planning and preparation for things that can happen – and then being ready to respond when things do happen
•
What does that really mean? (Hint: You won’t find it in a binder, or on a software tool…) –
“It’s in the Planning, not the Plans”
BCM is an embedded organizational culture that promotes
continuous planning, preparation and making the business ready to respond –
We understand people come first, but doing our jobs become priority once safety is addressed
–
Which means, every employee has a role in business continuity. We want you!
–
Every employee must be fully prepared at work and at home, including their families
17 17
Recommended Management Strategies 1.
Start a BCM Committee –
Dept Heads from: Facilities, IT, Corporate Communications, HR and Key Customer-facing BU’s
–
Use Risk-based (ERM) / Best Practices approach, and establish that BCM is a “Show-Stopper”
2.
Establish an Incident Response and Management Team (both Members/Protocols)
3.
Leverage ‘like-minded’ efforts that are already established. Use BCM Committee to consolidate and update (possibly agree for BCM to take the lead on integration/improvement)
4.
Gain Senior Management approval for a 2- to 4-step design/re-design and deployment strategy –
Begin 1st step ASAP!
5.
Provide regular updates and recommendations to Senior (C-level) Executive Management
6.
Leverage Corp Comm to socialize BCM to entire company as much as possible… Be Creative!!!
18 18
18
Recommended Employee Strategies 1.
Highly promote that all employees prepare themselves and their families: –
Lots of help out there! e.g. Red Cross: “Get a Kit. Make a Plan. Be Informed.”
–
Download local alert apps for weather and other emergencies
(http://arcbrcr.org/#SITE)
(In NY, www.nyalert.gov)
2.
Highly encourage supervisors/subordinates exchange critical contact information
3.
Everyone has a role, is expected to do something during an incident… even if just a phone call –
Know where to go and what to do, even if it’s home. (If you don’t know, ask)
–
We understand that family comes first. Give management the courtesy of knowing your situation and
strive to make yourself available. (This is our place of both customer commitment and employment)
19 19
19
When can we communicate that we have achieved
Enterprise-Wide Business Continuity? •
Business Continuity Committee – Confluence and Oversight
•
BCM Program Office – Facilitation and Expertise
•
Each Department Head is a BCM Plan Owner – Accountability & Ultimate Responsibility
•
–
IT Depts (including DR) are included in this!
–
Signs Attestation that BCP is Viable/Actionable, and that SVP’s/Employees are Informed/Trained
Business Continuity Liaison – Plan Owner-designated Single-Point-of-Contact –
•
Facilitates information-gathering and plan development (as well as data input and BCM activities)
Incident Response & Management – Protocols to Ensure a Defined Team is Organized/Ready
20 20
Enterprise-Wide Business Continuity It’s in the Planning, not the Plans!
Q&A Thank you, Dave Prosser, MBCP
[email protected] 21 21 21
Enterprise-Wide Business Continuity to Senior Management and Stakeholders October 7, 2014
Agenda • Background • Program Elements
• What Makes it “Enterprise-wide” • Recommended Strategies
2
•
Established in 1896, Preferred Mutual Insurance
Company is headquartered in New Berlin, New York •
Provides property and casualty insurance coverage to individual and business customers through a network of independent agents throughout the Northeast
•
Rated "A" for excellent through A.M. Best
•
Please visit us at www.preferredmutual.com
•
Email questions to [email protected]
3
Where Do We Even Begin???
What do we do? Business
Catastrophe
Contingency Management
Crisis
Continuity
Disaster
Disruption
Planning Preparedness
Emergency Incident Risk
Interruption
Program Recovery Readiness Resilience
Technology (IT)
4
Let’s See What the Industry Has To Say Business Continuity: •
An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services. (NFPA 1600)
•
The strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level. (DRJ)
Business Continuity Management: •
Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and valuecreating activities. (ISO 22301)
•
The process that organizations use to ensure business continuity is maintained across their organization. (DRJ)
5
More Industry Terminologies Business Continuity Program: •
Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management. (ISO 22301)
Business Continuity Management Program: •
Ongoing management and governance process supported by top management and appropriately resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products and services through training, exercising, maintenance and review. (BCI)
6
Yes, Even More Industry Terminologies Disaster Recovery •
The technical aspect of business continuity. The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services. Disaster recovery includes subsequent resumption and restoration of those operations at a more permanent site. (DRJ)
Disaster/Emergency Management: •
An ongoing process to prevent, mitigate, prepare for, respond to, maintain continuity during, and recover from an incident that threatens life, property, operations, or the environment. (NFPA 1600)
•
A program that implements the mission, vision, strategic goals, objectives and management framework of the program and organization. (BCI)
7
And Now… a real ‘Monkey Wrench’ Enterprise Risk Management (ERM): •
ERM includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. (BCI and Wikipedia)
(Keep in mind, this has only been a sampling of terms used to help us understand what is Enterprise-Wide Business Continuity.)
8
1st Step… Bring Focus/Definition to the Program Business Continuity Management (BCM): •
Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience1 with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. (ISO 22301) 1 Resilience:
•
(1) the ability to become strong, healthy, or successful again after something bad happens (2) the ability of something to return to its original shape after it has been pulled, stretched, pressed, bent, etc. (Merriam-Webster.com)
• The adaptive capacity of an organization in a complex and changing environment. (ASIS) • DRII Editor’s Note: (a) Resilience is the ability of an organization to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event. (b) Resilience is the capability of a
system to maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must. (ASIS)
9
Use References: Leverage Industry Best-Practices •
DRI International (DRII) – Professional Practices
•
Business Continuity Institute (BCI) – Good Practices Guidelines
•
Industry Publications and White Papers (and even Conference Materials)
•
Vendors/Business Partners
10
Enterprise-wide is Thought-Shifting From This…
To This…
BC Plan Ownership
BCM (You)
Your Organization
Facilitation/Expertise
BC Plan Ownership
Your Organization
BCM (You)
Facilitation/Expertise
11
Requires Dept Heads becoming Plan Owners Incident Response (& Mgmt) Executive Team Liaison
CIRT
Corp Comm
Human Resources
Direct Customer-facing Areas
IT Operations
Site Services
Customer Service
Claims
Field Agency Marketing Financial Operations
Critical Infrastructure/Support
Internal Audit
Personal Lines
QA & Agency Interface
Commercial Lines
BCM Comm
IT Enterprise Applications
SBS Project Development
Gov’t Affairs
Actuarial
General Counsel Finance & Risk Mgmt
Other Depts/BU’s…
12
12
Enterprise-wide is also Approach-Shifting (Process-based vs Scenario-based plans) ① BU’s Identify Process Resource Requirements…
② Then common dept tasks…
③ And then broad scenarios…
Dept BC Plan PROCESSES
Applications / Software
Equipment
Supplies Tasks
Dept/BU Leadership Checklist - Account for Employees - Determine Critical Staffing needs - Report Status - Determine escalation/activation - (etc., etc….) Process Tasks
Procedures
Com. Devices
Vital Records
Employees
Agents and/or Customers Policyholders
Inclement Weather / Regional Disaster
_____________________ _____________________ _____________________ _____________________ _____________________
Process
-------------------------------------
Process
-------------------------------------
Process
-------------------------------------
_____________________ _____________________ _____________________ _____________________ _____________________
Process
-------------------------------------
Pandemic (Workforce Red)
Process
-------------------------------------
Teams
Suppliers Providers / and/or Vendors Vendors
Overlay with Company Strategic Responses
Building Outage
_____________________ _____________________ _____________________ _____________________ _____________________
Technology Outage
_____________________ _____________________ _____________________ _____________________ _____________________
13
13
Enterprise-wide Applications / Software
PROCESSES
•
• Tasks
PROCESSES
Equipment
Focus/Highlight BIA and Business Process Prioritization
Ensure the correct level of IT DR, given the ‘ultra-low
Supplies
Tasks
Teams
Applications / Software
Equipment
Supplies
Teams
tolerance for latency’ world in which we operate today Suppliers Providers / and/or Vendors Vendors
Procedures
Bridges Gaps
•
Agents and/or Customers Policyholders
Com. Devices
Procedures
•
Employees
Com. Suppliers Devices the business has the correct IT DR expectations Providers / Ensure and/or Vendors Vendors
•
Address Work Area Recovery/Continuity Employees
Vital Records
Vital Records
Keep Management involved and continuously updated Agents and/or Customers Policyholders
14
Requires Enterprise-Wide Incident Coordination CEO Strategic Oversight - SVP’s
Incident Commander (IC) Person “In-Charge” Named at T.O.D.
Facilitation by BCM
Site Services Infrastructure Co-Lead
SS Back-up #1
Back-up #2
Co-back-ups
- VP’s and Sr Directors Strategy
Executive Liaison
Team
Gen Counsel
IT Operations Infrastructure Co-Lead
Personal Lines P & I Co-Lead
Customer Service P & I Co-Lead
Corp Communications Logistics Co-Lead
Human Resources Logistics Co-Lead
IT Ent Applications IT Back-up #1
Claims P&I Back-up #1
QA & Agency Interface P&I Back-up #2
Corp Comm CC Back-up #1
HR HR Back-up #1
Financial Operations Finance Back-up #1
Field Agency Marketing
Gov’t Affairs
Corp Comm CC Back-up #2
HR HR Back-up #2
Actuarial Finance Back-up #2
IT Disaster Recovery IT Back-up #2
SBS Project Dev
Commercial Lines
Finance & Risk Mgt Finance Lead
Internal Audit
Legend:
= Command
= Infrastructure
= Logistics
= Planning & Intelligence
= Finance
15
Our Enterprise-Wide BCM Model (Design and Guidance)
Business Continuity Committee
Company/Infrastructure Readiness
(Making Ready)
(Should there be a need…)
• Employee Preparedness, Policies and Communications • Facilities Preparedness, Mitigation, Emergency Response and Security • IT Preparedness, Mitigation and IT Disaster Recovery
(Design and Guidance)
Department Business Continuity Plans • Plan Design and Development
• Training and Exercises • Each Department is responsible for its own BC Plan and Readiness
(Making Ready)
Incident Response (& Mgmt) • CIRT
(Corporate Incident Response Team) comprised of key stakeholders
− Centralized management of all incidents – including Catastrophes − Escalates/Communicates with Executive Leadership, as necessary
(Should there be a need…)
• Response Protocols for each Satellite Office
16 16
Then… Communicate BCM in Common Sense •
Business Continuity is the advanced planning and preparation for things that can happen – and then being ready to respond when things do happen
•
What does that really mean? (Hint: You won’t find it in a binder, or on a software tool…) –
“It’s in the Planning, not the Plans”
BCM is an embedded organizational culture that promotes
continuous planning, preparation and making the business ready to respond –
We understand people come first, but doing our jobs become priority once safety is addressed
–
Which means, every employee has a role in business continuity. We want you!
–
Every employee must be fully prepared at work and at home, including their families
17 17
Recommended Management Strategies 1.
Start a BCM Committee –
Dept Heads from: Facilities, IT, Corporate Communications, HR and Key Customer-facing BU’s
–
Use Risk-based (ERM) / Best Practices approach, and establish that BCM is a “Show-Stopper”
2.
Establish an Incident Response and Management Team (both Members/Protocols)
3.
Leverage ‘like-minded’ efforts that are already established. Use BCM Committee to consolidate and update (possibly agree for BCM to take the lead on integration/improvement)
4.
Gain Senior Management approval for a 2- to 4-step design/re-design and deployment strategy –
Begin 1st step ASAP!
5.
Provide regular updates and recommendations to Senior (C-level) Executive Management
6.
Leverage Corp Comm to socialize BCM to entire company as much as possible… Be Creative!!!
18 18
18
Recommended Employee Strategies 1.
Highly promote that all employees prepare themselves and their families: –
Lots of help out there! e.g. Red Cross: “Get a Kit. Make a Plan. Be Informed.”
–
Download local alert apps for weather and other emergencies
(http://arcbrcr.org/#SITE)
(In NY, www.nyalert.gov)
2.
Highly encourage supervisors/subordinates exchange critical contact information
3.
Everyone has a role, is expected to do something during an incident… even if just a phone call –
Know where to go and what to do, even if it’s home. (If you don’t know, ask)
–
We understand that family comes first. Give management the courtesy of knowing your situation and
strive to make yourself available. (This is our place of both customer commitment and employment)
19 19
19
When can we communicate that we have achieved
Enterprise-Wide Business Continuity? •
Business Continuity Committee – Confluence and Oversight
•
BCM Program Office – Facilitation and Expertise
•
Each Department Head is a BCM Plan Owner – Accountability & Ultimate Responsibility
•
–
IT Depts (including DR) are included in this!
–
Signs Attestation that BCP is Viable/Actionable, and that SVP’s/Employees are Informed/Trained
Business Continuity Liaison – Plan Owner-designated Single-Point-of-Contact –
•
Facilitates information-gathering and plan development (as well as data input and BCM activities)
Incident Response & Management – Protocols to Ensure a Defined Team is Organized/Ready
20 20
Enterprise-Wide Business Continuity It’s in the Planning, not the Plans!
Q&A Thank you, Dave Prosser, MBCP
[email protected] 21 21 21
