Establishing a Sustainable Risk Management & Contingency Planning

ProgramD id N l CEODavid Nolan, CEO

Fusion Risk Management, Inc.

© 2010 Fusion Risk Management, Inc.Fusion Framework®...Simply, Better!™

TOPICSCompelling QuestionsChallenges & ObstaclesContinuity Risk ManagementConstituents, Drivers and Risk ToleranceEntities and Risk SourcesBusiness Alignment & Risk IntersectionsRisk Disposition Framework / Processes

© 2010 Fusion Risk Management, Inc.

pProgram Structures and SustainabilityFrom BCP to Sustainable Risk ManagementQuestions

Compelling QuestionsDo you know how much your firm spends on risk?Do you know how those decisions get made?Are threats, vulnerabilities, impacts and controls part of the management consciousness?Are your activities connected with revenues, profits and market share?Are you managing risk or managing plans or simply reacting to everything?

© 2010 Fusion Risk Management, Inc.

g y gAre you a valuable asset or an expense?Does your management understand you? Do you understand them?

Challenges and Obstacles

AmbiguityStructureCommunicationProcess

I

© 2010 Fusion Risk Management, Inc.

IgnoranceApathyConfusion

Bottom’s Up BCPStakeholders

Executives, M BOD

Threats, Impacts,

Audit and Compliance

Manager

1Assessment, Compliance

& Audit

Managers, BOD

BCP Manager

© 2010 Fusion Risk Management, Inc.

Program DataMaturity, Test, & Impact

History

Threats, Impacts, Notes & Evidence

-Administration-Documentation

-Follow-up -Reporting

Regulations, Standards, and Required Evidence

Leading or Begging?

© 2010 Fusion Risk Management, Inc.

Continuity Risk Management…Define Program ScopeDocument ConstituencyP i iti B i D iPrioritize Business DriversDefine Risk TolerancesDefine / Organize EntitiesDefine Credible ThreatsIdentify Risks that Exceed TolerancesEstablish Mitigation Strategies/Residual Risk Profiles/Costs

© 2010 Fusion Risk Management, Inc.

g gMitigate or Document Risks Per PlanMonitor, Validate, Refine

…not garden variety BCP/DR.

Fitting in the Bigger Picture

Operational Risk Program Management ActivitiesRisk Assessment

Property & Casualty

Business Impact AssessmentCapability & Gap AssessmentContingency PlanningRisk and Activity MonitoringRisk and Activity ReportingLoss PreventionProperty ProtectionMitigation Investment ManagementInsurance Program ManagementEducation and AwarenessAudit and ComplianceContinuity

Compliance

Marketplace

Safety

Supply Risk

© 2010 Fusion Risk Management, Inc.

Audit and ComplianceRisk

Preventive Measures

Contingency Plans

Alternative Resources/

AssetsInsurance Active Risk

Management

Risk Management Constituency

$$

© 2010 Fusion Risk Management, Inc.

Business Drivers

Board of Directors

Executive Team

Regulators and Rating Agencies Continuity Risk Management Drivers

Fiscal and Fiduciary Management

Customers, Shareholders,& Employees

Quality & Brand Equity

Fiscal and Fiduciary Oversight

© 2010 Fusion Risk Management, Inc.

Rating Agencies Continuity Risk Management DriversOperational ImpactFinancial ImpactCompliance Impact

Compliance

Risk Tolerance…Operational Disruption

How long can you function if you are unable to perform essential services?How much of a disruption can you absorb and return to normal?

FinancialWhat are the sources of financial risk and how do they develop over time?

C li /R l t

© 2010 Fusion Risk Management, Inc.

Compliance/RegulatoryWhat contractual obligations would be breached, including regulatory, client and supplier agreements?

…a measure of pain!

Risk Response

Fiscal“Best Practices”

Excessive

Fiduciary

Identify &

Basic Measures

Advanced Measures

© 2010 Fusion Risk Management, Inc.

Residual Business Impact

Do Nothing

Identify & Accept

Where’s Your BCP Risk?There is a lot more to

a company than a data center…and a lot more risk…and a lot

more opportunity!

© 2010 Fusion Risk Management, Inc.

Impacts to the Data Center or HQ are far reaching but they are

highly protected ti i t

Major Risk Epicenters

operations in most cases.

© 2010 Fusion Risk Management, Inc.

Impacts to Factories, Warehouses and

Suppliers may not be as far reaching, but are

f t d

Local Risk Epicenters

more frequent and visible, especially related to health,

safety, and compliance.

© 2010 Fusion Risk Management, Inc.

Business Alignment

© 2010 Fusion Risk Management, Inc.

Lines of business

Public Infrastructure

Service Providers

Business Alignment

Service ProvidersSuppliers

Facilities

© 2010 Fusion Risk Management, Inc.

Lines of business

“Risk Intersections”

Product 2

Product 3

Product “n”

Risk ProfilesDemographicsThreatsControlsLikelihoodsImpactsInherent RiskResidual RiskAlternativesMetricsContingency Plans

Process 1Process 2Process 3Process 4Process 5

Process “n”Product 1

© 2010 Fusion Risk Management, Inc.

Entity 1 Entity “n”

Process 1

Entity1.1

Entity1.2

Entityn.1

Entityn.2

Program Evolution/Maturity

Risk Management

Strategic•Business Valueg

Program Management

•Priorities•Brand Equity

Evolving•Currency/Completeness•Test/Validation•Activity Management

© 2010 Fusion Risk Management, Inc.

Plan Management

IT…Business Operations…Supply Chain

Tactical•Assets•Resources•Documentation

y ance

)

Major

Impact Matrix

Inhe

rent

Impa

ct to

Com

pan

erat

iona

l, Fi

nanc

ial,

Com

plia

Significant

Moderate

Minor

BC Risk Sources•Factories•Co-manufacturers•Suppliers•Logistics•Shared Services•IT Operations•Business Offices

© 2010 Fusion Risk Management, Inc.

Inherent Risk Likelihood

I

(Ope

Insignificant

Major/

Expected

MonitorControls Improve Effective Risk

Risk/Control MatrixR

isk

Expo

sure

(Impa

ct x

Lik

elih

ood) Significant

Likely

Moderate/

Possible

Minor/

Unlikely

Controls Improve

Accept/ Monitor

Management measures residual risk as a function of inherent risk factored for impact, likelihood and controls.

© 2010 Fusion Risk Management, Inc.

Excessive Adequate RefinementNeeded

Inadequate

Control Activities

Insignificant

Remote

pReduce

MonitorRisks

Decision Framework: Flying Blind

© 2010 Fusion Risk Management, Inc.

Decision Framework: Active Management

© 2010 Fusion Risk Management, Inc.

Risk/Response Profiles• Loss of IT Services

• Loss of Business Operations

• Personnel Disruption

© 2010 Fusion Risk Management, Inc.

• Third Party Impact

Continuity Risk Management Elements

Incident Response

Salvage & Restoration

IT Preparation & Response

Damage Assessment

Evacuation

Contingency Planning

© 2010 Fusion Risk Management, Inc.

Business Unit Preparation &

Response

Crisis Management

Emergency Management

Sustainable Risk/Program Management

Financial Risk/Impacten

t Operational Risk/Impact

Management & Governance

Threats and Controls

Compliance Risk/Impact Management

Program Management

Impact Management

Business Alignment

Proc

ess

Alig

nme Risk/Impact

Management

FacilitiesSuppliers

Service ProvidersPublic InfrastructureHuman Resources

© 2010 Fusion Risk Management, Inc.

Plans &Procedures

Step 1 Step 2 Step 3

Risk Management Workflow

Risk Management RepositoryRegional ApprovalsReports &

Dashboards

Risk Management Repository

Analysis

© 2010 Fusion Risk Management, Inc.

Local UpdatesTeams, Rosters, Resources

Central Program Managementand Monitoring

Template Plans and Standards

From BCP to Continuity Risk ManagementWork backwards! (Solve)Define program scope: breadth and depth(Know)p g p p ( )Accept the concept of accepting risk. (Understand)Present choices, not answers. (Inform)Monitor controls and risks. (Manage)Drive plans from the program. (Enable)Stop trying to drive programs from plans! (Support)

© 2010 Fusion Risk Management, Inc.

Stop trying to drive programs from plans! (Support)Refine your approach/automate (Improve)

QUESTIONS

© 2010 Fusion Risk Management, Inc.

Establishing a Sustainable Risk Management & Contingency Planning

ProgramD id N l CEODavid Nolan, CEO

Fusion Risk Management, Inc.

© 2010 Fusion Risk Management, Inc.Fusion Framework®...Simply, Better!™