Building A Resilient Enterprise

1
Building A Resilient Enterprise
We must become the change we seek in the world
Mahatma Ghandhi
Presented by Leonard Gravesande, Vice
President, MBA, BBA, CBCP JP MorganChase, Associa
tion of Contingency Planners,
New York City Chapter, Executive Board Member
November 15, 2007
2
Introduction

• High impact, low probability threats require a
  new thinking and a new model for survivability.
• Traditional disaster recovery and business
  continuity models are under attack and under
  pressure to change.
• 911, Hurricane Katrina, the northeast blackout
  exposed major gaps in critical planning
  assumptions upon which many recovery strategies
  and plans were built.
• The avian flu, evolving changes in regulatory
  compliance, globalization and the frequency of
  threats to our environment, all present enormous
  challenges for enterprises.

Pae 2
3
Purpose

• To challenge the traditional business continuity
  management frameworks and stimulate new thinking
  about resiliency model consideration.
• To raise heightened awareness of business
  resiliency and its benefits.
• To present a common reference point for
  resiliency understanding, communication,
  successful planning and implementation.
• To offer an evolutionary framework, methodology
  and an integrated holistic approach relative to
  resiliency planning.

Page 2
4
Context

• This discussion will be descriptive illustrating
  what needs to be considered as opposed to being
  prescriptive (i.e., how to do it).
• Practitioners can leverage the descriptive
  elements and tailor the actionable steps aligned
  to a supportive organization culture and risk
  management philosophy to build resiliency
  capabilities into the fabric of their
  organizations.

Page 2
5
What is resiliency?

•  
• Resiliency, as defined by Websters
  International, is the property of being
  resilient, moving swiftly back and capable of
  withstanding shock without deformation.
• According to professor Yossi Sheffi from MIT, it
  is not an event but a process.
• A resilient enterprise is one that is
  characterized by a culture of leadership,
  flexibility, empowerment, and communications
  guided by some core principles to sustain the
  business-critical mission following a major
  disruptive event.

Page 2
6
Key Considerations

• How can enterprises plan for random as well as
  intentional threats that have a potentially
  significant impact to their core business
  mission?
• What strategies are necessary and needed to
  navigate the high impact, low probability threat
  landscape?
• How can enterprises transform the strategic
  resiliency vision and imperatives into a set of
  viable capabilities for sustainability and
  competitive advantage?

7
Resiliency Planning Assumptions

• Enterprises are at risk for different types of
  disasters and disruptive events and have some
  level of preparedness to mitigate the threats.
• Each enterprise will leverage and optimize
  existing resources while planning for the future.
• While each enterprise has its own history,
  culture and way of doing things, change will not
  come easy.
• The realities of the regulatory environment,
  leadership commitment, current capabilities
  assessment, future capabilities targets, risk
  management philosophy and associated investments,
  will shape the scope, approach and roadmap for
  successful planning, implementation and ongoing
  management of the resiliency strategy.

Page 2
8
Whats wrong with existing IT-centric DR and
Business Continuity Models?

• IT DR models are single purposed, technology
  focused and not readily and easily adaptable to
  event and regulatory compliance-driven changes.
• Alternatively, in a number of existing Business
  Continuity models, the primary focus is on
  business process and people recovery with a
  dependent technology architecture and support
  infrastructure. However, in many cases, plans
  are developed in isolation of the strategic value
  chain partners and seldom aligned to business
  drivers and full resumption of mission.
• The above-referenced models are rarely
  pro-active, rigid, costly to maintain and devoid
  of clear unambiguous expression of risks, their
  cause, impact and consequences.

Page 2
9
Why resiliency maturity models?

• Resiliency maturity models
• are forward-looking, opportunity-oriented, and
  capabilities as well as decision based.
• enable a more agile response to dynamic changing
  conditions.
• are a natural extension of the existing business
  processes and capabilities.
• enable a structured approach and methodology
  designed to mitigate failure risks and contain,
  if not, negate headline risk.
• are continuously subject to re-evaluation and
  improvements.

Page 2
10
Illustrative lessons of resiliency

• Phillips Electronics production plant fire in
  March 2000
• Nokia and Ericsson impacted with different
  outcomes.
• Leading financial services response to hurricane
  events
• Well developed strategies and plans protect
  lives and sustain expected levels of service with
  little or no business impact by transferring work
  and not people to unaffected zones.
• Sub-prime mortgages and financial credit
  meltdown
• Headline risk cripples the leadership at 2 major
  investment firms as market cap plunges, while
  other financial services have successfully
  deflected perceptions of a crisis of confidence,
  thus avoiding a similar fate.
• US Coastguard and Hurricane Katrina
• Before the storm hit Louisiana, the U.S Coast
  Guard pro-actively moved assets to Louisiana
  saving countess lives.

Page 2
11
Barriers to successful implementation

• Vision (Leadership)
• Resiliency is rarely placed on the strategic
  agenda of top management and in some instances
  inadequately funded.
• Unlike daily trading and other core revenue
  generating service related activities, resiliency
  considerations are often perceived as expense
  related activities with lower strategic value.
• People (Management)
• Generally, staff not briefed in. Only a small
  part of the workforce understands the strategy
  and resiliency mission.
• Risk and change management practices not endemic
  within the culture.
• Failure to empower staff to make decisions during
  a crisis.
• There is a State of Denial regarding the
  viability of existing plans.
• Process
• Failure to understand and validate the process
  flow and crisply define requirements and organize
  work around virtual or global teams.
• Technology
• Mis-alignment of business and technology
  strategies and priorities.

Page 2
12
Resiliency Framework

• Organization/governance structure with a program
  oversight charter
• Senior management commitment and sponsorship
• Sound business case with a balanced risk/cost
  analysis and value-oriented benefits for goal
  alignment and resiliency program funding
• Developed and articulated communication strategy
  and plan
• Guiding principles, policy and standards to drive
  the prescribed resiliency goal objectives
• A holistic integrated program that incorporates
  not only strong governance oversight, but also
  human resource management, crisis management,
  risk assessment and management, legal and
  compliance management, vendor and service
  provider management, change management and
  testing, subject to continuous measurement,
  reporting and refinement.

Page 2
13
Implementation considerations

• Identify resiliency maturity model framework and
  gain executive commitment to use that framework
  as the basis of scoping and approach for moving
  forward.
• Benchmark where your existing capabilities are
  and determine where your enterprise wants to go
  over a specific time horizon.
• Understand your environment (i.e., your business
  mission and drivers, your risks, and available
  resources).
• Adopt and leverage existing enterprise change
  management principles and tools from ITIL or
  similar quality control process improvement
  tools.

Page 2
14
What are the requisite strategies?

• Enhance and aggressively promote the requisite
  resiliency culture change by defining or
  re-affirming the organizations shared values,
  unity of purpose and provide incentives designed
  to remove the resiliency barriers.
• Effectively manage people, process and technology
  risks through resiliency.
• Communicate continuously to stakeholders and
  reinforce the core resiliency mission, value
  proposition and purpose of action.

Page 2
15
Translating strategies to solutions

• Leverage a holistic approach for planning.
• Engage all partners along the value chain
  continuum and
• Collaborate, collaborate, collaborate.
• Develop a unified plan with multi-disciplinary
  cross functional teams and subject matter experts
  for the optimal solution set.
• Abstract and present an easy to understand visual
  resiliency framework.
• Build highly networked communications
  infrastructure and design-in redundancy,
  diversity, and operational flexibility.

Page 2
16
Translating strategies into solutions

• Leverage standardized facilities where applicable
  and develop concurrent processes.
• Build upon and expand plans that were developed
  for DR and BC.
• Develop or enhance policies, standards,
  procedures and response activities, including but
  not limited to, surveillance and early warning
  signals, pre-defined triggers and decision
  points, and communications.
• Assess maturity level of your program on an
  ongoing basis using the capability maturity model
  or like-kind benchmarking model and continuously
  refine as warranted.

Page 2
17
When disaster actually strikes

• Its time for crisis management leadership
• Knowing what to do can be the difference between
  calm and courage, life and death, survival or
  extinction.
• Having a crisis management system in place in
  advance is key.
• Sense and correctly interpret the signals
  relative to the threat and impact to the
  enterprises operations.
• There is an urgency to act, including rapid
  decision making. Decisions may have to be made by
  empowered staff at the front lines or periphery
  of the disaster.
• Communication to stakeholders including partners
  must be timely and accurate.

Page 2
18
When disaster actually strikes

• Be mindful that it is not what actually
  happened that matters but what others perceived
  have happened that matters.
• Move rapidly to address employee and visitor well
  being, protect assets, minimize emotional trauma,
  limit damage and resume operations.
• Deploy resources commensurate with strategy and
  the developed unified plan.
• Increase or decrease production or services as
  conditions warrant.
• Continuously monitor and manage mitigation,
  response and recovery activities until full
  business resumption.
• Conduct post event lessons learned exercise for
  knowledge transfer and improvements to resiliency
  program.

Page 2
19
Summary

• Resiliency maturity models are an evolving
  concept
• These models are being introduced to address the
  limitations of the current BC and DR models.
• Successful planning, implementation and ongoing
  management will depend on acquiring a richer
  understanding of existing capabilities, future
  target capabilities and building a framework,
  guiding principles and management system to
  support the resiliency strategies and
  capabilities.
• The journey towards building a more resiliency
  enterprise will not happen overnight.
• However, adopting the framework and management
  system will help enterprises reach the ultimate
  resiliency destination sooner rather than later.

Page 2
20
Questions and Answers