BCM n Risk Management
Transcript of BCM n Risk Management
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 1/26
1
Driving synergies across disciplines:
Risk Management and BCM
Yiannos Gregoriou (AMBCI)
Kyprianos Yianni (CYTA BCM Manager)
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 2/26
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 3/26
3
Cyta
•
Cyta – Cyprus Telecommunications Authority
• CYTA has a national infrastructure (covering
800000 citizens) which is identified as a critical
infrastructure for the country
• Hub in Eastern Mediterranean (submarine
cable systems)
• Active in Greece – CytaHellas
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 4/26
4
Cyta
• Places emphasis on Management Systemslike Business Continuity, Information Security,
Quality Systems (ISO, EFQM)
• Place emphasis on Customer Care andCustomer Support
• 70% of market share
• Regulated by the Commissioner of
Telecommunications and Postal Regulations
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 5/26
5
Cyta &
Business Continuity• Incident Management, especially Technical
Problems
• Many previous attempts for BC plans failed,
because they were not based on BC principles
• New attempt in 2000-2001 due to 2 serious technical
problems – Decentralised approach and based on
BC standard- Much better results.
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 6/26
6
Cyta &
Business Continuity
• 2009 – BCM set as a strategic project for
Cyta
• BCM is required by the Regulator – July 2011
• BCM according to BS25999 and Good
Practice Guidelines
• Invited International Tenders. Main
requirement of tender: Primary Consultant to
be a Member of BCI
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 7/267
Cyta &
Business Continuity
• Contract with ‘Allospos Ltd’ and primary
consultant is Dr. Stamatis Tournis-MBCI
• BCM in Cyta is run by a virtual BC team
• Two members of our BC Team are the first
statutory members of the BCI in Cyprus
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 8/268
BCM and Cyta
• BCM gives Cyta a competitive advantage-
Business Customers
• Next step – BC Certification for Business
products
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 9/269
Problems arising
from ERM and BCM independence
•BCM and ERM had a different scopealthough similarities were recognised.
•The two systems were run independently(BCM team and Internal Audit)
•Risk Analysis was run twice from twodifferent perspectives with different scopes.
Thus results were different.
•Departments were not willing to do the“same job twice”.
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 10/26
10
Problems arising
from ERM and BCM independence
• In BCM, all the critical resources, assets and
processes were identified and evaluated in
case of a disruptive event.
• ERM analysed and assessed risks based on
the company’s business goals.
• Different risks were identified by the two
systems and Senior Management had no
clear view of priorities.
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 11/26
11
• Risk Assessment did not cover the critical
activities and resources of the organization
as defined by a BCM initiative.
• Top Management and the Board of
Directors were familiar with ERM risks but
lacked knowledge of the risks identified inthe more dynamic BCM environment.
Problems arising
from ERM and BCM independence
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 12/26
12
Problems arising
from ERM and BCM independence
• All above resulted in uncertainties and
confusion and no project prioritization for
lowering risks
• Cyta required a unified Risk AssessmentmethodEnterprise Impact Policy
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 13/26
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 14/26
14
Cyta’s Enterprise Impact Policy
The Enterprise Impact Policy consists of the
following parts:
•Scope of the policy
•Business Areas of Interest
•Roles and responsibilities of each level of
management
•The Impact Estimation Matrix
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 15/26
15
Cyta’s Enterprise Impact Policy
The five business areas of Interest are,
1.Financial losses
2.Operational Systems & Capabilities
3.Reputation loss
4.Customers & stakeholders
5.Regulatory, Legal compliance & SLAs’
penalties
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 16/26
16
Impact Estimation MatrixImpact Estimation Matrix
Critical High Medium Low
Represents significant damagesto the whole organisation
Represents significantdamages to the majority of
business units
Represents significantdamages to one business
unit
Represents significantdamages to parts of
business units
Financial losses
The realisation of a real or potentialunexpected economic loss.
Financial losses more than 5%.Recovery requires huge effort
and time.
Financial losses between 2%-5%.
Recovery requires large effortand time.
Financial losses between0,5%-2%.
Recovery requires enougheffort and time.
Financial losses more lessthan 0,5%.
Recovery requires smalleffort and time.
Operational Systems &Capabilities
Access interruption of theoperational systems and loss of the
operational capabilities of theorganisation.
Frequent/Extended interruptionsthat influence the entire
organisation and its customers.The organisation cannot
operate. The recovery requiresvery large and not-budgeted
expenses.
The interruptions arefrequent/duration and
influence an important part ofthe organisation and
customers. Only certainbusiness units of theorganisation function
normally. Recovery requireslarge and not-budgeted
expenses.
Temporary and discreteinterruptions that
influence a specificoperational unit and a
part of customers. Onlycertain business units do
not operate normally.Recovery requires somenot-budgeted expenses.
Rare interruptions thatinfluence few customers
and a certain operationalunit. Recovery requiresvery few not-budgeted
expenses.
Reputation loss
Loss of reputation in persons/societythat their opinion could directly orindirectly influence the value of the
organisation
Hostile and extended nationalcover of media or/and
decreased confidence of thepublic or/and important damagein the reliability and reputation
of the organisation.
Hostile comments in nationalmedia accompanied withdecreased confidence in a
part of services or productsor business units of the
organisation.
Hostile comments innational media
accompanied withdecreased confidence in
specific services orproducts or business units
of the organisation.
Hostile comments in localmedia accompanied withdecreased confidence inlimited and small number
of customers.
Customers & stakeholders
Delay, reduction or failureof service provision for homeor/and business customers(government, banks, etc).
More than 10% of customers
they do not receive a service.Loss of big volume of
customers. Business customersdo not have service and do not
operate normally.
5%-10% of the customersthey do not receive service.Important number of
complaints of customers.Loss of important number ofcustomers. Part of services inbusiness customers do not
operate normally.
3%-5% of the customers
they do not receiveservice. Enough numberof complaints fromcustomers. Loss of
important number ofcustomers. Specificservices for specific
business customers donot operate normally.
Less than the 3% of
customers. Small increaseof complaints. The
majority of services forbusiness customersoperate normally.
Regulatory, Legal compliance &SLAs penalties
Fail to conform with legal, regulatingobligations or SLA agreements.
It is expected to causeexceptionally important damage
e.g. withdrawal of license,lawsuit, etc. Penalties in SLAs
agreements.
It is expected to cause finesand disapprovals from theregulatory authorities withextensive financial damage.
It is expected to causefines and disapprovalsfrom the regulatory
authorities with somefinancial damage.
Capable to solve problemwith negotiations withcustomers/ regulatoryauthorities /suppliers.
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 17/26
17
ERM proposition based on EIPThe Risk Assessment process description:
1. Top-down deployment of EIP
2. Run Risk assessment with identification of risks
3. Evaluate impact using the Impact Estimation Matrix.4. From bottom to top risk registry (define
measures/actions/recommendations for each risk.)
5. Each level develops an aggregated risk registry
6. Operational level risk registry
7. Tactical level risk registry
8. Strategic level risk registry
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 18/26
18
ERM proposition based on EIPBoard of Directors
CEO
Business Unit1
Department 1
Business Function 1
Business Unit2
Business Function 2
Department 2 Operational Level
Tactical Level
Strategic level
RIA& M
RIA& M
EIP
RISK IDENTIFICATION, ASSESSMENT AND MANAGEMENT (RIA&M)
ENTERPRISE IMPACT POLICY (EIP)
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 19/26
19
The Risk Registry
#BUILDING/
AREA RISK
TYPE OF
RISK RISK
EVALUATION
INFECTED
SERVICE/PRODUCT
EXISTING
CONTROLS RECOMMENDATIONS LIKEH
1 5
2 3
3
4
5
6
7
8
9
10
11
12
13
14
15
Title:
Risk Registry
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 20/26
20
The evaluation of risk according EIP
NS LIKEHOOD Financial
Operational
Systems &Capabilities
Reputationloss Customers &stakeholders
Regulatory, Legal
compliance & SLAspenalties
TotalImpact PRIORITY A
5 4 4 4 4 4 5 25
3 2 3 3 3 3 3,5 10,5
0 0
0 0
0 0
0 0
0 0
0 0
0 00 0
0 0
0 0
0 0
0 0
0 0
IMPACTS
RISK MANAGEMENT
Impact evaluation of risks
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 21/26
21
Treatment of Risks
al
AsTotal
ImpactPRIORITY ACTIONS RESPONSIBILITY
RESIDUAL
RISK
RISK STATUS
(CLOSED/OPEN)
CONTINGENCY
SOLUTIONS
5 25
3,5 10,5
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
CONFIDENTIAL
Version: 1.0Code:
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 22/26
22
Risk Appetite Matrix
This is extensively explained in the manual of The RiskManagement Framework (ERM Policy)
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 23/26
23
ConclusionsRunning the two processes, we quickly came to the
conclusion that our
• BCM and ERM processess must be guided top-down considering the two systems as twoorganization resilience disciplines with a commongoal.
• By establishing impact parameters anddeveloping a common Enterprise Impact Policy in
business terms, we were able to streamline ourassessment efforts and focus on the mostcompelling risks to our business and increase ourorganizational resilience.
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 24/26
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 25/26
25
Improvements
During tactical and strategic levels of risk assessmentwe recognised the need to improve our results.Some improvements are,
1. To organise workshops for improving the riskassessment methodology used for higher levels inorder to obtain better results and to conduct abusiness impact analysis on the strategic level.
2. To apply the EIP methodology in InformationSecurity and Physical Security systems
8/12/2019 BCM n Risk Management
http://slidepdf.com/reader/full/bcm-n-risk-management 26/26
26
Thank you!
Questions?