2010 virginia rims and prima conference october 5, 2010 business impact analysis: the road map to...
Post on 12-Jan-2016
212 Views
Preview:
TRANSCRIPT
2010 Virginia RIMS and PRIMA 2010 Virginia RIMS and PRIMA ConferenceConference October 5, 2010 October 5, 2010
Business Impact Analysis: Business Impact Analysis: The Road Map to Managing RisksThe Road Map to Managing Risks
Understanding risks in quantifiable terms provides the roadmap
The need for information…
Measures the enterprise-Measures the enterprise-wide impacts to an wide impacts to an organization in the event of organization in the event of a major disruption to key a major disruption to key business processesbusiness processesFinancial $ quantification of Financial $ quantification of
specific exposuresspecific exposures
Applied to internal as well as Applied to internal as well as external processes / facilitiesexternal processes / facilities
Business Impact Analysis (BIA)Business Impact Analysis (BIA)
The Evolving LandscapeThe Evolving Landscape
BUSINESS Competitive pressure Reduced time to market Margin pressure
Operational efficiency High asset utilization Lean manufacturing
Corporate governanceRegulatory complianceNeed for transparency
Executive accountability
ConsolidationsGlobal supply chains
& economic conditions
Business model complexities / silos
The Evolving LandscapeThe Evolving Landscape
Internal risksInternal risks
• Traditionally covered ?Traditionally covered ?
External risks?External risks?
• Do risk management efforts match?Do risk management efforts match?
⇒ The distinction between internal and external is The distinction between internal and external is becoming more blurrybecoming more blurry
⇒ The property risk blind spotThe property risk blind spot
Pressures lead to increasing risks
and accountability to manage risk
And yet…And yet…
8
SU
PP
LY
CH
AIN
MA
NA
GE
ME
NT
QU
AL
ITY
MA
NA
GE
ME
NT
RIS
K M
AN
AG
EM
EN
T
DIS
AS
TE
R R
EC
OV
ER
Y
FA
CIL
ITIE
S M
AN
AG
EM
EN
T &
R
ISK
IM
PR
OV
EM
EN
T
SE
CU
RIT
Y
CR
ISIS
CO
MM
UN
ICA
TIO
NS
&
PU
BL
IC R
EL
AT
ION
S
HE
AL
TH
& S
AF
ET
Y
KN
OW
LE
DG
E M
AN
AG
EM
EN
T
EM
ER
GE
NC
Y M
AN
AG
EM
EN
T
Response: The BCM ‘umbrella’Response: The BCM ‘umbrella’
Courtesy of the Business Continuity Institute
BUSINESS CONTINUITY MANAGEMENT
DesignFor
Resilience
Understand your
business
Implement your
continuity strategies
Keep continuity
alive
Develop your
continuity strategies
BIAAnalysis / prioritization
BC / Ops Strategies
The BCM ModelThe BCM ModelThe BCM ModelThe BCM Model
A few basic assumptionsA few basic assumptions
BCP: Scenario neutralBCP: Scenario neutral
ProbabilitiesProbabilities• Factor into crisis management, not BCPFactor into crisis management, not BCP
• Outage time is the key consideration with Outage time is the key consideration with recovery strategiesrecovery strategies
ScopeScope• Entire facilityEntire facility
Worst case scenarios DO happen…plan on it and you’re ready for anything
To know where to direct limited resources, you must determine which activities are most critical to maintaining continuity and achieving your strategic objectives
How would the current level of understanding be assessed?
•Revenue streams, resilience and risks?
•Interdependencies between revenue streams?
•Mitigation capabilities?
•Ultimate exposures?
Design for ResilienceDesign for ResilienceDesign for ResilienceDesign for Resilience
Understandyour
business
Developing BC strategiesDeveloping BC strategiesDeveloping BC strategiesDeveloping BC strategies
Prevent losses happening in the first place by protecting your critical processes
Make changes now to critical process in your business model to make it more resilient
Develop plans that you can implement to maintain your business if the worst happens
Specific $ estimates allow for easier cost / benefit evaluation
Information sharing is critical
FinanceFinance
Supply chainSupply chain
OperationsOperations
Risk ManagementRisk Management
to create a prioritization map
Execution – Business Model AnalysisExecution – Business Model Analysis
Firm Infrastructure – Finance
Human Resources
Information Technology
Purchasing/Procurement
Inbound Logistics
Outbound LogisticsOperations
Marketing & Sales Service
Profit
Questionnaires, with follow-up interviews
Dependency MappingDependency Mapping
Understanding the relationship between revenue / Understanding the relationship between revenue / margin streams and:margin streams and:
• Locations (can also drive values reporting)Locations (can also drive values reporting)• ProcessesProcesses• ApplicationsApplications• Suppliers (mainly sole sources)Suppliers (mainly sole sources)
Location Product A $15.5M
Product B $100.1M
Product C $75.6M
Product D $355.3M
Location 1 10% 0% 0% 20% Location 2 50% 25% 100% 65% Location 3 100% 100% 100% 100% Location 4 100% 0% 0% 10%
Quantification ApproachQuantification Approach Direct Annual
Impact Interdependent Annual Impacts
Product Lines Impacted
% Impacted
Annual Product Variable
Margin(s) (BI Value)
Annual Product Variable
Margin(s) (BI Value)
Replacement Period - Months
Mitigation - Months Subtotal Rate Amount Rate
Time (months) Amount
Additional Expenses Post-replacement lost sales
1.1. Determine product lines impacted and direct variable margin Determine product lines impacted and direct variable margin impacts on a product line basisimpacts on a product line basis
2.2. Evaluate potential interdependent impacts – other revenue streamsEvaluate potential interdependent impacts – other revenue streams
3.3. Determine Determine currentcurrent replacement / recovery period replacement / recovery period
4.4. Assess mitigation capabilitiesAssess mitigation capabilities
5.5. Consider other loss-cost factorsConsider other loss-cost factors
• Additional expenses, related to mitigation or otherAdditional expenses, related to mitigation or other
• Customer losses, after recovery; can be huge factorCustomer losses, after recovery; can be huge factor
Internal / External AnalysisInternal / External Analysis
RTO / MTO IdentificationRTO / MTO Identification Maximum tolerable outageMaximum tolerable outage
• The The duration after which an duration after which an organization’sorganization’s viability will be viability will be threatened if the activity cannot be resumed.threatened if the activity cannot be resumed.
Recovery time objectiveRecovery time objective• The specific The specific targettarget time set for time set for resumption of performance of resumption of performance of
an activity / process / application, etc. after an incidentan activity / process / application, etc. after an incident, , which which must support the MTO.must support the MTO.
• Evaluate the gap from current recoveryEvaluate the gap from current recovery
Identification is important, but consider Identification is important, but consider subjectivitysubjectivity• Evaluate against specific $ exposure quantifications via worst-Evaluate against specific $ exposure quantifications via worst-
case scenariocase scenario
Risk evaluationRisk evaluation
Consider the Consider the relationship relationship between physical between physical risk and impact to risk and impact to the business when the business when evaluating risk evaluating risk mitigation strategiesmitigation strategies
Resource directionResource direction
Phoenix
Dallas
HoustonAustin
San Antonio
Orlando
Charlotte
Denver
Beaumont
60
70
80
90
100
$0 $50 $100 $150 $200
Actu
al R
isk
Mar
k Sc
ore
BI Exposure ($M)
BI Exposure vs. Risk Quality
Some examples…Some examples… Capet manufacturing:
chemical supplier Coal mining
interdependency Production bottlenecks Medical device supplier
exposures Sr. management / BOD
support for BCP / RI efforts
Focusing RM resources (RI, BCP, transfer,…)
> $400M
+ Reputation
+ Market Share
+ Shareholder Value
BCM more criticalBCM more critical
Prioritized approach Prioritized approach to make manageableto make manageable
• $ quantifications with $ quantifications with assessment of physical assessment of physical risksrisks
• Optimizes mitigation Optimizes mitigation strategy selectionstrategy selection
• Framework includes Framework includes loss preventionloss prevention
Does the management of internal and external risks match?Does the management of internal and external risks match?
SummarySummary
Eric Jones, CPA, CVA, CBCPFM GlobalAVP, Manager, Business Risk Consultingeric.jones@fmglobal.com972-731-1613
top related