Risk Management vs Continuity Management Marie Hélène Primeau, CA, MBCI President Premier Continuum DRJ Fall World September 12, 2011 Marie-Hélène Primeau, CA, MBCI Chartered Accountant and Member of the Business Continuity Institute In Business Continuity for more than 8 years Consulting with medium and large organization to develop and maintain Business Continuity Management Programs in various industries such as Manufacturing, Distribution and Logistics, Government, Financial Services Teaching Lecturer post graduate degree at the University of Montreal (Business Continuity and Resilience) Developer and instructor of the BCI 2 Day Overview of the BCM Lifecycle Instructor for the Business Continuity Institute 5 day Course Has taught BCI Good Practice Guidelines in North America, Europe and online Instructor for a 2-Day workshop on Exercising your Plans
Risk Management vs Continuity Management Definitions Risk (ISO 31000): EffectofUncertainty onobjectivesobjectives Business Continuity (BCI GPG 2010): Strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level
Examples of Past Incidents Japan 2011 Earthquake > Tsunami > Nuclear Crisis BP Oil Spill 2010 World Economic Forum Global Risk Report 2011
Organizational Context Competition Other Stakeholders Suppliers & Business Partners Environment Your organization Logistic & Transportation Shareholders Legislations & Regulations Reputation Customers Risk Management Process (ISO 31000) Principles / Framework
Risk Assessment Any types of risk including risk to continuity BCM typically here Imp pact Likelihood Risk Management Process (ISO 31000) Principles / Framework
Risk Treatment Options Risk Management Process and BCM Lifecycle Principles / Framework Source: BS25999 1 / Business Continuity Institute Good Practice Guidelines Source: ISO 31000
Risk Management vs Business Continuity Management (BCM) Risk Management (ISO 31000) Risk Management Framework Establishing the context Risk Assessment BIA is one of the tools Risk Treatment Communication and consultation Monitoring and Review BCM (BS25999 1) Policy and Programme Management Scope Determination (Policy) Understanding the Organization Business Impact Analysis (BIA) Risk Assessment focused on organisation s most urgent activities BCM Strategies Development & Implementing BCM response Embedding BCM in the Culture Exercising, Maintaining and Reviewing Business Impact Analysis (BIA) Purpose For each activity, product or service Document the impacts over time from its loss or disruption Identify the Maximum Tolerable Period of Disruption (MTPD) and thus the priorities for recovery Identify the dependencies (both internal and external) that are required to enable the activity to operate effectively
Business Impact Analysis Source: The Business Continuity Institute 5 day Course Evaluating Threats through Risk Assessment (within the BCM context) BIA should be conducted in advance Focus on most urgent activities Estimates likelihood and impact of threats Helps in identifying potential causes of interruption Such as unacceptable concentration of risks (single points of failure) Can identify measures to reduce likelihood or impact of disruptions Can benefit from existing risk management and inform
Evaluate Risks to Most Urgent Activities Loss of key personnel / significant number of employees Loss of Information technology systems (equipment and/or applications) Loss of telephone systems Loss of main premises Loss of vital resources / records Loss of key equipment Loss of services / utilities (water, electricity, etc.) Loss of a major supplier or business partner (subcontractor) Risk Reduction and Mitigation Prevention The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. Protection Detection Suppression
BCM in Context Emergency Planning Incident Management BCM Crisis Com. Risk Management ICT Disaster Recovery Where should BCM report within the organization? Source: Engaging & Sustaining the Interest of the Board in BCM Survey The Business Continuity Institute 2011
In Conclusion Key Success Factors Obtain top management commitment and sponsorship Build on existing programs Seek appropriate internal and external support and resources Chance favors only the prepared mind. Louis Pasteur Marie-Hélène Primeau, CA, MBCI President, Premier Continuum Inc. mhprimeau@premiercontinuum.com 514-761-6222 ext. 1003 www.premiercontinuum.com