Operational Risk Management

1
Operational Risk Management
2
Contingency Planning
Who Can We Rely On For Support ?

• Are We Really Prepared ?

3
Support

• Insure that there is complete support from senior
  administration, including funding
• There needs to be concurrence on the objectives
  and scope of the plan
• Identify both the required and available
  resources (internally and externally)
• Establish a practical timeline that includes a
  phased-in approach
• Identify realistic goals that are in keeping with
  established objectives

4
Information Management
Sign
The total of relevant knowledge is often called
intellectual capital. This includes not only
knowledge as a single conception, as an
individuals personal resource but as knowledge
of an organization appearing in patents, in
company-specific process models and routines.
Even culture and Customer supplier relationships
belong to intellectual capital.
5
Risk Assessment
Have you thought everything through ?
6
Risk Assessment

• Risk assessment includes the following three
  components
• Threats
• Situations that impact an organization
  operationally and/or financially
• Usually measure in terms of a what if
  probability
• Time is measure by the amount of down-time and
  recovery-time is required
• The relative probability of each threat must be
  estimated utilizing the following determinants

7
Threat Determinants

• Geographic location
• Topography of area
• Proximity to major sources of power, bodies of
  water, and airports
• Degree of accessibility to the organizations
  office and other locations
• History of local utility companies in providing
  uninterrupted services
• Previous experience of the areas susceptibility
  to natural, cyber or bioterrorism threats
• Proximity to major highways which transport
  hazardous waste, combustible products, etc.
• Proximity to nuclear power plants, chemical
  production facilities or military installations

8
Risk Assessment

• ASSETS
• Most organizations measure assets by virtue of
  physical attributes such as buildings,
  furniture, etc.
• In addition, there are financial assets which are
  measured by either lost revenue, recovery costs
  and any fines or penalties that occur during any
  business interruption
• A less tangible asset can be the decrease or loss
  of good will or any loss of a competitive stake

9
Risk Assessment

• MITIGATING FACTORS
• Usually associated with preventative measures
  that minimize loss and decrease downtime
• Any policies and procedures that are developed to
  help protect and safeguard an organization and
  reduce the impact from threats
• Examples can be as simple as security systems,
  fire suppression systems, UPS, and generator
  back-ups

10
Risk Assessment

• Additional considerations
• Telecommunications and information systems must
  be reviewed
• Physical plant administration must also be looked
  at to include facility infrastructure such as
  HVAC, utilities, location, etc.
• Business functions including staffing, downtime
  procedures and recovery requirements must be
  evaluated

11
Have you conducted a business impact analysis ?
12
Business Impact Analysis (BIA)

• Organizational impact must be measured in four
  major categories
• Operating system
• Financial system
• Legal
• Regulatory

13
BIA Methodology

• Identify and meet with Project Coordinator
• Develop a user data collection document that
  helps define departmental or unit critical
  functions, applications and maximum acceptable
  downtime
• Schedule a meeting with key personnel to review
  any additional project information and help guide
  them through the departmental or unit interview
  process

14
Background Information

• The following are areas to be reviewed
• Current state of contingency planning (BCP)
• Existing operating systems and processes
• On-site and off-site IM facilities and procedures
• Directory of applicable IM software and users (by
  area)
• IM hardware and connectivity

15
Interview Process

• Evaluate by area the top priority requirements in
  the following areas
• Critical Systems
• High priority tasks
• Downtime procedures (temporary)
• IM outage policies and procedures
• Physical plant requirements
• Utility requirements
• Personnel requirements
• Minimum supplies and equipment
• Recovery procedures

16
Other Considerations

• Billing and collection functions are critical
• Working capital will be difficult to determine if
  information on A / P and A / R are not accessible
• Remember that you have legal (contractual)
  requirements to vendors and customers that may
  not be fulfilled
• There are also regulatory deadlines are must be
  maintained (ie. State and federal tax filings)

17
Recovery Strategies
18
Recovery Classification

• Functions must be classified in priority order
• Priority I
• Priority II
• Priority III
• Priority IV
• Priority V

19
Priority I

• Downtime is not acceptable.
• Alternate site(s) with fully functional equipment
  and staff must be available
• Recovery must be immediate

Priority II

• A four to eight hour window exists for recovery
• Alternate site(s) with fully functional equipment
  and staff must be available

20
Priority III

• Downtime must not exceed 24 hours
• Systems can be established anywhere (on-site or
  off-site)

Priority IV

• 24 to 72 hour recovery period

Priority V

• Greater than 72 hour recovery period

21
Recovery Resources

• The next step is to identify resources (internal
  external) that are needed to support ongoing
  operations
• Utilizing information garnered in the evaluation
  phase will assist with
• identifying options
• establishing priorities
• identifying associated costs
• reviewing the options with administration
• gaining consensus to move forward

22
Associated Costs

• It is wise to establish a table that identifies
  both the revenue impact and additional expense
  associated with BIA
• This evaluation should be done by department/unit
  and should be performed utilizing a daily revenue
  impact
• Short term disruptions may not result in an
  increase in direct costs or a decrease in revenue
  on a daily basis
• Additional expense should be included based on
  the amount of time required to recapture data,
  charges, etc.
• These can include DOL penalties, OT, one-time
  costs, new equipment purchases, etc.

23
Recovery Resources

• A cost-benefit analysis must be performed that
  reviews the impact of the cost for recovery
  efforts weighed against the impact of NO recovery
• Examples of recovery options may include
• Transfer of duties
• Temporary facility reconfiguration
• Internal reciprocal arrangements
• Back-up sites
• External support
• No formal arrangements

24
Recovery Options

• Transfer of duties
• This option assumes that other locations are
  available within an organization for work to be
  transferred.
• Examples can be ambulatory medical facilities
  such as surgery centers, urgent care centers,
  satellite labs, etc.
• For non-critical functions it may include
  off-site data storage facilities, payroll
  functions, human resources, etc.

25
Recovery Options

• Temporary facility reconfiguration
• This option allows for use of non-critical office
  space on the campus or in the building that can
  be used to facilitate more critical functions
• Physical space that may be considered would
  include education /training rooms, conference
  rooms, unoccupied patient care units, etc.
• Any temporary facility would need to be equipped
  with electrical, telecommunications, information
  management and office furniture

26
Recovery Options

• Internal reciprocal arrangements
• Pre-arranged agreements should be concluded with
  other departments or units within the
  organization that allow for temporary transfer of
  responsibilities
• This may require that non-critical functions be
  placed on hold in the unaffected
  departments/units
• It is helpful to periodically evaluate the
  unaffected departments/units ability to perform
  the task to be assigned.
• This can be done during scheduled downtimes

27
Recovery Options

• Back-up sites
• Some organizations have constructed alternate
  locations either on the campus or near-by to
  support critical functions
• This is a very costly investment and not done
  routinely
• Some organizations contract with other
  organizations (refer to External Support)

28
Recovery Options

• External support
• Letters of Understanding must be developed with
  external support organizations to support
  business recovery efforts.
• These may include
• Telecommunications Data Recovery
• Hotels schools
• Utility Companies (Gas, electric, water)
• Transportation (bus companies, trucking, heavy
  machinery)
• Municipal offices (public safety)
• Support Services (laundry, security, bldg./food
  services, staff departments)
• Healthcare facilities (hospitals, ECFs,
  pharmacies)

29
Recovery Options

• No formal arrangements
• In some instances (non-critical functions) it is
  more cost efficient not to have formal
  arrangements
• When making this determination, senior
  administration must be aware and accept the risks
  associated with this decision

30
Plan Definition

• Plans must be flexible enough to respond to a
  variety of situations and timelines
• The plan should enable the organization to
  initiate rapid recovery procedures for
  occurrences that exceed either 24, 48 or 72 hours

31
Contents Of A Plan

• Executive Summary
• Risk Assessment BIA
• Identify Organization Contingency Planner
• Definition of crisis management structure
  including
• General responsibilities
• Emergency Operations Center (EOC)
• Notification systems
• Event verification damage assessment
• Management responsibilities
• Ongoing communications

32
Contents Of A Plan

• Recovery Activities
• Public Information
• Business Recovery Team Structure
• Organizational Structure
• Team definitions
• Team Manager assignments
• Testing Continuing Education Methodologies

33
Community Involvement
Who Can You Rely On?
34
Building Relationships

• Develop solid relationships with both public and
  private sectors
• This produces a win-win relationship
• Remember, no organization can function
  independently when there is a disaster situation
• Planning requires that you not have blinders on
  and that you seek out external resources as well
  as internal resources

35
Community Partnerships

• Becoming active in community affairs allows an
  organization to have personal relationships and
  have a better understanding of the strengths and
  weaknesses of a community
• There are many resources that need to be
  developed besides the obvious public safety
  departments such as
• Emergency Management (local and state)
• Emergency Medical Services
• Fire Departments
• Police Departments

36
Community Resources

• Additional departments that need to be involved
  can include
• FEMA
• Utility Companies
• City / County Government
• National Guard
• Water Companies
• School Systems
• Coast Guard
• Red Cross
• Etc.

37
Public / Private Cooperation

• Developing public / private relationships
  benefits everyone
• Governmental departments gain a better
  appreciation for private sector efficiencies
• The private sector becomes a partner with the
  community
• It is better to be part of the solution and
  ultimately the success of proper planning

38
Challenges

• There are many obstacles to developing a cohesive
  community contingency plan
• Lack of local governmental support/interest
• Decreased funding and changing priorities
• Corporate downsizing
• Public and private re-engineering
• Public / private culture differences
• Little or no standardization
• Technological changes (increased risk)
• Outsourcing demands
• A shrinking globe

39
Survival

• The long-term survivability for an organization
  or the community it serves is dependant on being
  able to recover as quickly as possible with
  minimal disruption from service or business loss
  and the income that is generated from it.

40
Testing The Plan
Contingency Plan

• Does it work?

41
Why Test ?

• To determine the feasibility and compatibility of
  back-up facilities and procedures
• Identify, update and enhance areas within the
  plan
• Verify the accuracy and completeness of the plan
• Identify weak areas and utilize in training for
  team members
• Demonstrate an organizations or communitys
  ability to recover
• Provide a mechanism for updating the plan and
  working with other community partners

42
Types Of Tests

• Tests can be conducted in a variety of ways
• Paper drill (using checklists)
• Scheduled walk-through
• Scheduled downtimes
• Area specific plans (ie. Telecommunications, IM,
  etc)
• Scenario based drills with live bodies

43
Develop Test Plan

• Considerations to include are
• Purpose of the test
• Objectives
• Type of test
• Timing
• Scheduling
• Duration
• Test participants (internal and/or external)
• Assumptions
• Constraints
• Assignments
• Test steps