Business Continuity: Risk & Resiliency Planning
Katie Stevens, Directory Technology Consulting Practice Leader | ProtivitiCarrie Penman, Chief Risk & Compliance Officer| NAVEX GlobalSam Abadir, Director, Industry Solutions | NAVEX Global
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 2
About the Presenters
Katie Stevens Carrie Penman Sam AbadirDirector, Technology Consulting
Practice LeaderProtiviti
Chief Risk & Compliance OfficerNAVEX Global
Director, Industry SolutionsNAVEX Global
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 3
Agenda
• What is Business Continuity?
• BCM Planning Lifecycle
• Planning for a Pandemic
• Risk Assessment Process
• Pandemic Execution Timeline
• Important Considerations
• BCM for the Compliance Manager
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 4
Business Continuity Management OverviewPandemic Planning
Internal Audit, Risk, Business & Technology Consulting
Protiviti Perspective provided by Jimmy W., Toronto
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 5
Business Continuity Management is…
…the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise.
A series of actions taken to gain control of the event quickly to minimize the effects of an interruption, prepare for and oversee recovery and manage communications throughout the event.
Crisis Management & Communications
The recovery of IT processes, systems, applications, databases, and network assets used to support critical business processes.
IT Disaster RecoveryPlanning
The process initiated to resume business operations to a level consistent with the business requirements.
Business ResumptionPlanning
Recovery Strategies
Business Impact Analysis / Risk Assessment
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 6
BCM Planning Lifecycle
BCM Quality Assurance
Quality AssuranceImplementation
Project Management and Knowledge Transfer
Crisis Management Strategy
Business Recovery Strategy
IT Disaster Recovery Strategy
IT Architecture Strategy
BCM Diagnostic
Risk Assessment
BCM Program Governance
Business Impact Analysis
Implement Crisis Management Plan
Implement Business Recovery
Plan
Implement IT Disaster
Recovery Plan
Implement IT Architecture
Test Crisis Management Plan
Test Business Recovery Plan
Test IT Disaster Recovery Plan
On-Going BCM Lifecycle Planning & Management
Strategy DesignBusiness Assessment
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 7
Planning for a pandemic
• Buildings, infrastructure, access to power and telephony are intact.
• Significant absenteeism (estimates range from 40-60%) can inhibit production capabilities, as fear of exposure and care for sick family members keep employees away from work.
• Supply chain disruption and logistical challenges as suppliers and transportation companies also face absenteeism.
• Travel bans, closings of schools and businesses and cancellations of events could have major impact on employees and customers
Pandemic Planning is different from Business Continuity in following ways:
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 8
Risk Assessment ProcessThe continuum of pandemic phases with indicative WHO actions
Source: WHO
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 9
Pandemic Execution TimelineCrisis response to a pandemic event will evolve as successive waves of infection take hold and the long-term operational implications of an event become apparent.
Alert Phase
Crisis Management & Emergency Communications
Response Phase Recovery PhaseSurveillance
Strategic Business Prioritization
HR Pandemic Benefits Activation
Expense Management
Employee Health Monitoring
Public Sector Engagement
Vendor SLA Confirmation
Health Training & Awareness
Core Business Re-Alignment
Staff Acquisition & Re-Allocation
Procurement & Financing
Restricted Access to Facilities
Humanitarian Response
Vendor Acquisition
Social Distancing & Health Protocol
Remote Access Deployment
Market Share Protection / Extension
Succession & Rightsizing
Debt Refinancing
Selective Restart of Operations
Vaccine Acquisition / Distribution
Vendor Triage
Infrastructure Re-MarketingTime
Technology Provisioning
WHO
CDC
StateBOH
MediaWork Force Re-Integration
Zero to 60 Days Four to Five Months 12 to 18 MonthsApproximateTimeframes
Key Pandemic
Events
• Sustained human-to-human transmission.• Rapid global spread of human infection.• Shortages in anti-viral medications.• Shortages in personal protective equipment
• First wave infection rate of 20% to 30%.• 1% to 2% death rate of those infected.• Pandemic agent is isolated by CDC.• First vaccines produced within six months.
• Successive waves of pandemic infection.• Natural immunity begins to takes hold.• Vaccine production scales upward.• Public distribution of vaccine initiated.
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 10
Important Considerations
Communication• The organization must have an effective way to reach those working for our company to inform them of the status of the pandemic
flu approaching or affecting the company and their responsibilities during the pandemic.
• The company should also validate and activate its emergency call procedures directing employees with recorded messages, delivering information about their work activities.
• The organization must have an effective way to reach employees, and alert them to their responsibilities during the pandemic
Training• Information and training is at the heart of pandemic flu planning and containment. The company’s goal is to ensure employee comprehension
and understanding of how employees may be exposed to pandemic flu, what their responsibilities are, and what protective measures they can take. Due to the complexity of a flu pandemic and the continuity and recovery process, training can be provided.
Inventories, Supplies, and Services• The company’s supply chains may become disrupted in a flu pandemic, during Phase 1 & 2, thus it should consider stockpiling products and
supplies that may be needed. If the supply is running short, supplies should be stocked at an alternate leased sites in close proximity.
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 11
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 12
BCM for the Compliance Manager
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 13
BCM for the Compliance Manager
• Compliance is the underestimated need in business continuity planning and execution
• Influence, leadership and risk management must be integrated throughout BCM
• Pandemic planning provides unique and challenges that compliance managers must be involved with
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 14
BCM for the Compliance Manager
• Risk and BCM leaders are moving forward fast…ensure they have compliance insight
• New normal operations and contracts
• Privacy impacts
• Reporting to local, state and federal agencies
• Regulatory change is eminent
• Don’t forget the implication of ethics when planning
• Your reputation may be at risk internally and externally
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 15
BCM for the Compliance Manager
• As the world and your business is reopening your business continuity plans will change faster than ever
• Conflicts and decisions will need to be based on compliance and risk
• Compliance needs a seat at the table…if not the head of the table
People
Locations Supplies
Technology
Vendors
Risks
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 16
Key Takeaways
1. Focus on preparedness
2. Understand upstream and downstream dependencies
3. Adjust for the remote work environment
4. Be ready to course correct quickly
5. Don’t forget the implication of ethics when planning
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 17
QUESTIONS
© 2020 Copyright NAVEX Global, Inc. All Rights Reserved. | Page 18
Thank You!