BCM n Risk Management

8/12/2019 BCM n Risk Management

http://slidepdf.com/reader/full/bcm-n-risk-management 1/26

1

Driving synergies across disciplines:

Risk Management and BCM

Yiannos Gregoriou (AMBCI)

Kyprianos Yianni (CYTA BCM Manager)



3

Cyta

•

Cyta – Cyprus Telecommunications Authority

• CYTA has a national infrastructure (covering

800000 citizens) which is identified as a critical

infrastructure for the country

• Hub in Eastern Mediterranean (submarine

cable systems)

• Active in Greece – CytaHellas



4

Cyta

• Places emphasis on Management Systemslike Business Continuity, Information Security,

Quality Systems (ISO, EFQM)

• Place emphasis on Customer Care andCustomer Support

• 70% of market share

• Regulated by the Commissioner of

Telecommunications and Postal Regulations



5

Cyta &

Business Continuity• Incident Management, especially Technical

Problems

• Many previous attempts for BC plans failed,

because they were not based on BC principles

• New attempt in 2000-2001 due to 2 serious technical

problems – Decentralised approach and based on

BC standard- Much better results.



6

Cyta &

Business Continuity

• 2009 – BCM set as a strategic project for

Cyta

• BCM is required by the Regulator – July 2011

• BCM according to BS25999 and Good

Practice Guidelines

• Invited International Tenders. Main

requirement of tender: Primary Consultant to

be a Member of BCI



Cyta &

Business Continuity

• Contract with ‘Allospos Ltd’ and primary

consultant is Dr. Stamatis Tournis-MBCI

• BCM in Cyta is run by a virtual BC team

• Two members of our BC Team are the first

statutory members of the BCI in Cyprus



BCM and Cyta

• BCM gives Cyta a competitive advantage-

Business Customers

• Next step – BC Certification for Business

products



Problems arising

from ERM and BCM independence

•BCM and ERM had a different scopealthough similarities were recognised.

•The two systems were run independently(BCM team and Internal Audit)

•Risk Analysis was run twice from twodifferent perspectives with different scopes.

Thus results were different.

•Departments were not willing to do the“same job twice”.



10

Problems arising


• In BCM, all the critical resources, assets and

processes were identified and evaluated in

case of a disruptive event.

• ERM analysed and assessed risks based on

the company’s business goals.

• Different risks were identified by the two

systems and Senior Management had no

clear view of priorities.



11

• Risk Assessment did not cover the critical

activities and resources of the organization

as defined by a BCM initiative.

• Top Management and the Board of

Directors were familiar with ERM risks but

lacked knowledge of the risks identified inthe more dynamic BCM environment.

Problems arising




12

Problems arising


• All above resulted in uncertainties and

confusion and no project prioritization for

lowering risks

• Cyta required a unified Risk AssessmentmethodEnterprise Impact Policy



14

Cyta’s Enterprise Impact Policy

The Enterprise Impact Policy consists of the

following parts:

•Scope of the policy

•Business Areas of Interest

•Roles and responsibilities of each level of

management

•The Impact Estimation Matrix



15

Cyta’s Enterprise Impact Policy

The five business areas of Interest are,

1.Financial losses

2.Operational Systems & Capabilities

3.Reputation loss

4.Customers & stakeholders

5.Regulatory, Legal compliance & SLAs’

penalties



16

Impact Estimation MatrixImpact Estimation Matrix

Critical High Medium Low

Represents significant damagesto the whole organisation

Represents significantdamages to the majority of

business units

Represents significantdamages to one business

unit

Represents significantdamages to parts of

business units

Financial losses

The realisation of a real or potentialunexpected economic loss.

Financial losses more than 5%.Recovery requires huge effort

and time.

Financial losses between 2%-5%.

Recovery requires large effortand time.

Financial losses between0,5%-2%.

Recovery requires enougheffort and time.

Financial losses more lessthan 0,5%.

Recovery requires smalleffort and time.

Operational Systems &Capabilities

Access interruption of theoperational systems and loss of the

operational capabilities of theorganisation.

Frequent/Extended interruptionsthat influence the entire

organisation and its customers.The organisation cannot

operate. The recovery requiresvery large and not-budgeted

expenses.

The interruptions arefrequent/duration and

influence an important part ofthe organisation and

customers. Only certainbusiness units of theorganisation function

normally. Recovery requireslarge and not-budgeted

expenses.

Temporary and discreteinterruptions that

influence a specificoperational unit and a

part of customers. Onlycertain business units do

not operate normally.Recovery requires somenot-budgeted expenses.

Rare interruptions thatinfluence few customers

and a certain operationalunit. Recovery requiresvery few not-budgeted

expenses.

Reputation loss

Loss of reputation in persons/societythat their opinion could directly orindirectly influence the value of the

organisation

Hostile and extended nationalcover of media or/and

decreased confidence of thepublic or/and important damagein the reliability and reputation

of the organisation.

Hostile comments in nationalmedia accompanied withdecreased confidence in a

part of services or productsor business units of the

organisation.

Hostile comments innational media

accompanied withdecreased confidence in

specific services orproducts or business units

of the organisation.

Hostile comments in localmedia accompanied withdecreased confidence inlimited and small number

of customers.

Customers & stakeholders

Delay, reduction or failureof service provision for homeor/and business customers(government, banks, etc).

More than 10% of customers

they do not receive a service.Loss of big volume of

customers. Business customersdo not have service and do not

operate normally.

5%-10% of the customersthey do not receive service.Important number of

complaints of customers.Loss of important number ofcustomers. Part of services inbusiness customers do not

operate normally.

3%-5% of the customers

they do not receiveservice. Enough numberof complaints fromcustomers. Loss of

important number ofcustomers. Specificservices for specific

business customers donot operate normally.

Less than the 3% of

customers. Small increaseof complaints. The

majority of services forbusiness customersoperate normally.

Regulatory, Legal compliance &SLAs penalties

Fail to conform with legal, regulatingobligations or SLA agreements.

It is expected to causeexceptionally important damage

e.g. withdrawal of license,lawsuit, etc. Penalties in SLAs

agreements.

It is expected to cause finesand disapprovals from theregulatory authorities withextensive financial damage.

It is expected to causefines and disapprovalsfrom the regulatory

authorities with somefinancial damage.

Capable to solve problemwith negotiations withcustomers/ regulatoryauthorities /suppliers.



17

ERM proposition based on EIPThe Risk Assessment process description:

1. Top-down deployment of EIP

2. Run Risk assessment with identification of risks

3. Evaluate impact using the Impact Estimation Matrix.4. From bottom to top risk registry (define

measures/actions/recommendations for each risk.)

5. Each level develops an aggregated risk registry

6. Operational level risk registry

7. Tactical level risk registry

8. Strategic level risk registry



18

ERM proposition based on EIPBoard of Directors

CEO

Business Unit1

Department 1

Business Function 1

Business Unit2

Business Function 2

Department 2 Operational Level

Tactical Level

Strategic level

RIA& M

RIA& M

EIP

RISK IDENTIFICATION, ASSESSMENT AND MANAGEMENT (RIA&M)

ENTERPRISE IMPACT POLICY (EIP)



19

The Risk Registry

#BUILDING/

AREA RISK

TYPE OF

RISK RISK

EVALUATION

INFECTED

SERVICE/PRODUCT

EXISTING

CONTROLS RECOMMENDATIONS LIKEH

1 5

2 3

3

4

5

6

7

8

9

10

11

12

13

14

15

Title:

Risk Registry



20

The evaluation of risk according EIP

NS LIKEHOOD Financial

Operational

Systems &Capabilities

Reputationloss Customers &stakeholders

Regulatory, Legal

compliance & SLAspenalties

TotalImpact PRIORITY A

5 4 4 4 4 4 5 25

3 2 3 3 3 3 3,5 10,5

0 0

0 0

0 0

0 0

0 0

0 0

0 00 0

0 0

0 0

0 0

0 0

0 0

IMPACTS

RISK MANAGEMENT

Impact evaluation of risks



21

Treatment of Risks

al

AsTotal

ImpactPRIORITY ACTIONS RESPONSIBILITY

RESIDUAL

RISK

RISK STATUS

(CLOSED/OPEN)

CONTINGENCY

SOLUTIONS

5 25

3,5 10,5

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

CONFIDENTIAL

Version: 1.0Code:



22

Risk Appetite Matrix

This is extensively explained in the manual of The RiskManagement Framework (ERM Policy)



23

ConclusionsRunning the two processes, we quickly came to the

conclusion that our

• BCM and ERM processess must be guided top-down considering the two systems as twoorganization resilience disciplines with a commongoal.

• By establishing impact parameters anddeveloping a common Enterprise Impact Policy in

business terms, we were able to streamline ourassessment efforts and focus on the mostcompelling risks to our business and increase ourorganizational resilience.



25

Improvements

During tactical and strategic levels of risk assessmentwe recognised the need to improve our results.Some improvements are,

1. To organise workshops for improving the riskassessment methodology used for higher levels inorder to obtain better results and to conduct abusiness impact analysis on the strategic level.

2. To apply the EIP methodology in InformationSecurity and Physical Security systems



26

Thank you!

Questions?

BCM n Risk Management

Documents

Transcript of BCM n Risk Management