BCM Presentation - Investment or Expense? (in English) A recent presentation I made evaluating if BCM is investment or expense.

1. Business Continuity
Investment or expense?
Sidney R. Modenesi, MCBCC, MBCI
IV Seminário de GCN
Gestão da Continuidade de Negócios
Brasília – 25/06/13
1
This is a quick and straight translation of the original presentation, i.e., some translation errors may occur.

2. Agenda
 Opening
 What is Business Continuity
 Some local significant regulations
 Standards and Good Practice
 Real experiences
 Investment or expense
 Adjourn
2

3. Presenter
 Sidney R. Modenesi, MCBCC, MBCI,
BS 25999 Technical Expert;
 BCI Area Representative for Brazil;
 STROHL Brasil General manager since 2002;
 Bachelor in Computer Sciences, IME/USP;
 Master Degree in Entrepreneurship, FIA/FEA/USP;
 Approved in the DRII certification exam in 2000;
 Approved as MBCI by BCI in 2005;
 BS 25999 Technical Expert by BSI in2011;
 Contacts: sidneymd@thebci.com.br
sidney_modenesi@strohlbrasil.com.br
+55 11 5583-0033
3

4. Business Continuity Institute
 Global leader institute in Business Continuity;
 Mission: to promote the art and science of Business
Continuity worldwide;
 With 10.000+ certified professionals in 100+
countries;
 Supported the development and enhancement of
many Business Continuity standards as:
 PAS 56, BS 25999, ISO 22301/22313, GPG 2013 ...
4

5. Assumptions
“If anything can go wrong, it
will.”
Murphy s Law
“And more, it will go wrong in
the worst manner, at the worst
moment and in a way it will
cause the worst possible
damage.”
Corollary
“Murphy was an optimist”.
Clark s Law
Noeh Arch
1st documented record of Business
Continuity in the Human Kind
history, although using an inside
information …
5

6. What is Business Continuity?
(according to ISO 22301/22313)
It is a holistic management process
that identifies potential threats to an
organization and the impacts to
business operations those threats, if
realized, might cause, and which
provides a framework for building
organizational resilience with the
capability of an effective response
that safeguards the interests of its
key stakeholders, reputation, brand
and value-creating activities.
6

7. What is Business Continuity?
(according to ISO 22301/22313)
7

8. What is Business Continuity?
(according to ISO 22301/22313)
Or simply: to restart in a
planned way services,
products and/or critical
business processes in a
alternate location, in a
priory defined time frame
and service level, before
the consequences and
impacts become
unacceptable.
8

9. Local significant regulations
3380 Regulation – BACEN (like FED)
Defines the implementation of the Operational Risk
management strucuture in accordance with the Basel II
agreement. Be in force since July 29th, 2006.
VI – existence of contingency plans containing
strategies to be adopted to assure continuity
conditions of core activities and to limit severe losses
due to operational risks.
9

10. Significant regulations
Business Resiliency and
Continuity
Principle 10: Banks should
have business resiliency and
continuity plans in place to
ensure an ability to operate on
an ongoing basis and limit
losses in the event of severe
business disruption.
The Committee’s paper, High-level principles
for business continuity, August 2006, discusses
sound continuity principles in greater detail.
10

11. Local significant regulations
SAC Law
(Customer Service Centers)
SUSEP – Circular # 285
(insurance market)
4. Operational Continuity
Plans:
4.1. to indicate a summary
plan of the operational
continuity in contingency or
emergency situations;
4.2. to present the results of
the last test of the
operational continuity test.
11

12. Standards and Good Practice in BCM
ISO 22301:2012 Good Practice Guidelines 2013
12

13. Real experiences
World Trade Center – 09/11/2001 London Underground - 2005
13

14. Real experiences
Riots – 2006 ...
Riots – 2006 ...
RJ, SP ...
14

15. Real experiences
15
Vulcano in Iceland Vulcano in Chile

16. Real experiences
Fukushima, Japão - 2011
16
Due to the Fukushima earthquake and
tsunami some Brazilian car factories
had to close one of the production
shifts due to lack of core components.
BALANCE: Lost sales

17. Real experiences
Oklahoma tornado - 2013 Petrópolis/RJ - 2011
17

18. Real experiences
18
All variations of flue Dengue, an endemic local problem

19. Real experiences
Fire in one of the Social Security
buildings in Brasilia (INSS) - 2005 Data Center fire - 2009
19

20. Real experiences – Social Midia
Foreign Affairs invasion – 06/13
Brasilia Congress invasion – 06/13
20

21. Real experiences – Crisis management
21

22. Real experiences
The potential risks list is
endless:
 Naturals:
 Heavy rains,
earthquakes, vulcanos,
tornados ...
 Humans, accidentals
or deliberates:
 fire, explosion,
contamination ...
 Technological:
 Hacker, invasion, virus,
systemic failure...
22

23. Risk Appetite
For each non eliminated risk 
An strategy developed, documented, tested and
updated will be needed 
To restart in a planned way services, products
and/or critical business processes in a alternate
location, in a priory defined time frame and
service level, before the consequences and
impacts become unacceptable.
23

24. Implementation cycle
• To identify and mitigate risks.
• FOR EACH NON ELIMNATED RISK
• Recovery Strategies
• Developed, documented, tested and updated
• To planned restart services, products and/or business processes in an
alternate location
• PDCA - Plan, Do, Check and Act
24

25. Investments and expenses
The development and implementation of the
Recovery Strategies will require de:
• Initial (upfront) investments to adapt office space,
electrical power, network, PABX and phone lines,
desks, chairs, workstations ...
• Recurring expenses to maintain all this infra
structure and
• Eventual expenses with exercises, testes and
validation tests (DRP).
25

26. Equilibrium point
RISK APPETITE
Time
Financial
and operational
losses
Investments in
prevention and
contingency
$
t0
t1< t0
< Risk Appetite
t2 > t0
> Risk Appetite
$
26

27. Investment or expense?
• Financially BCM has:
– Implementation investments  CAPEX
– Recurring expenses  OPEX
• In the Management or Risk Appetite point of
view BCM helps to increase the operational
resilience
– Increasing availability, productivity and time
redution of the interruptions  Investment
–It is part of the business cost.
27

28. Return of investment
Plan
Do
Check
Act
Plan the recovery
strategy
Implement
the recovery
strategy
Exercise, test and
stress the recovery
strategy
Treat the Non
Conformities:
•Update the Recovery
Strategies and/or
•Update the BAU
daily processes.
Benefits: improve in the
quality, productivity and
availability of the critical
products, services and
business processes.
28

29. Adjourn
A well developed, implemented and maintained
Business Continuity Program will:
 Increase the Risk Awareness;
 Reduce the organization risks;
 Reduce the interruption durations;
 Bring ROI;
 Increase the organization value, specially with
a BCMS certification.
29

30. Closing
Plan for the WORST
Work for the BETTER.
30

31. Closing
Contacts:
Sidney R. Modenesi
 sidneymd@thebci.com.br
 sidney_modenesi@strohlbrasil.com.br
 +55 11 5583-0033
31