2 3 Business Continuity and Risk Management: Essentials of Organizational Resilience By Kurt J. Engemann,PhD, CBCP Douglas M. Henderson, FSA, CBCP ISBN 9781931332545 (Softback) ISBN 9781931332736 (PDF) ISBN 9781931332897 (EPUB) Rothstein Associates Inc., Publisher Brookfield, Connecticut USA www.rothstein.com Business Survival™ Weblog: Business Continuity for Key Decision-Makers from Rothstein Associates at www.rothstein.com/blog 4 Copyright © 2012, by Kurt J. Engemann and Douglas M. Henderson All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher. No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. ISBN 9781931332545 (Softback) ISBN 9781931332736 (PDF) ISBN 9781931332897 (EPUB) Library of Congress Control Number (LCCN) 2011933801 PUBLISHER: Philip Jan Rothstein, FBCI Rothstein Associates Inc. The Rothstein Catalog on Disaster Recovery 4 Arapaho Rd. Brookfield, Connecticut 06804-3104 USA 203.740.7444 203.740.7401 fax [email protected] www.rothstein.com Keep informed of the latest business continuity news. Sign up for Business Survival™ Weblog: Business Continuity for Key Decision-Makers from Rothstein Associates at www.rothstein.com/blog 5 Foreword A s a business continuity professional serving New York’s Wall Street firms, I have been an active part of how the profession has evolved. Not that long ago, business continuity was viewed as an afterthought by many organizations - a form to complete and a box to check off. The defining moment, however, for me and many senior managers now leading business resiliency and risk programs in major corporations - as well as our firms’ senior leaders - was the crucible of the World Trade Center disaster – September 11th. This unimagined tragedy of unimaginable proportions taught us that no threat is impossible. Planning and preparation for both the possible and impossible, we learned, are essential for any organization. Many of us learned business continuity and risk management by doing it, strengthened along the way by a growing international body of experience and knowledge drawn from practitioners and academicians. Kurt Engemann and Douglas Henderson have made a fundamental contribution with their focus on resiliency issues. In an “open source” format, they have assembled a core curriculum spanning a discipline that traditionally took major portions of a career to experience and understand. A blend of theory, common sense, best practice and cases, this versatile textbook provides a structured learning tool and encyclopedic reference guide for business continuity and risk management students, teachers, practitioners, and executives. One of my favorite chapters focuses on awareness and exercises. In March 2001, at the Wall Street firm where I headed Business Continuity at the time, we completed a major disaster recovery exercise for a scenario covering the complete loss of our primary data center near the World Trade Center. This scenario and much worse was realized six months later. On that day our preparation and exercises rewarded us with the restoration of key information processing capabilities at a backup location in just over two hours. Through resilient operations and people, these efforts played a key role in helping restore basic functionality to the markets and the financial services industry affected by 9-11. No one can foresee the future. But I believe that this can be no excuse for lack of preparation, management support or exercises that improve awareness and continuously sharpen our organizational and technical response to adversity. We repeatedly experience the unimaginable - whetherMumbai terror attacks, tornado clusters, earthquakes or tsunamis. Crises will continue to arise, as will our need to understand and practice the essentials of organizational resilience. Roseann McSorley Roseann McSorley Managing Director Global Business Resiliency Head JPMorgan Chase & Co. New York City Note: The writer is not necessarily representing the views or opinions of JPMorgan Chase & Co. 6 Foreword B usiness Continuity Management has been around for the best part of 30 years through its antecedents in Disaster Recovery and Emergency Preparedness. Arguably Risk Management has an even longer pedigree given its evolution from insurance and loss control. Together they form the backbone of how a business or public body protect themselves from threats and hazards of all types. Given their importance in an increasingly risky world and their relative maturity as business disciplines, it is strange that little has been done to structure the subject in a way that is accessible to students and the wider academic community. Most relevant books and professional journals are targeted at either the professional practitioner or those with general interest in the topic. Most relevant books and professional journals are targeted at either the professional practitioner or those with general interest in the topic. What has been missing is a college core textbook that covers the basic body of knowledge for aspiring students wishing to gain academic qualifications en route to a professional career in Business Continuity or Risk Management. This new book by Kurt Engemann and Douglas Henderson does much to redress this deficiency in our arsenal of published literature. Written at a level which is very comprehensive but still easily readable it provides a route-map through the terminologies, methodologies and philosophies of the subject. It is impossible to define the subject matter as precisely as many would like; there are many sources of good practice and national standards circulating globally and many competing views about what constitutes best practice. There are even many debates about the intrinsic nature of BCM and Risk. Are they really about Regulation and Compliance or are they about the improvement of Organizational Resilience? Some might argue they are about both. Given these still unanswered questions, Engemann and Henderson has given us a fair picture of the “state of the art” and one in which most subject matter experts could feel reasonably comfortable. They have combined the formal coverage of traditional topics like Business Impact Analysis and Strategy Development with some strong content particularly suitable to those set on a career in Risk Management. Their treatment of Risk Modeling as a specialized area in the book is challenging and interesting. Although not all will want to delve too deeply into the theoretical basis for such techniques, the Chapter on Probability and Statistics makes enlightening reading for those who do. Alternatively for those of a more practical bent, the range of case studies included are informative and provide ample evidence of the value and importance of the topics covered and their application. As Technical Director at the Business Continuity Institute, one of my specific duties is to encourage the inclusion of BCM as a serious topic in graduate and masters business programs. I believe this book will form a cornerstone of many such programs and I look forward to it facilitating the discussions I plan to have with many academic bodies in the coming months and years. The Business Continuity Institute welcomes this book and wishes the authors well in their efforts to engage with both the business and academic communities in a language that both will understand. Lyndon Bird Lyndon Bird, FBCI Technical Director and Board Member The Business Continuity Institute 7 8 Foreword B usinesses can be interrupted and destroyed by a number of threats – manmade and natural. Engemann and Henderson have done something about it with this book. For years, Business Continuity Planning Professionals have passionately attempted to address these issues, often working with knowledge gained from years of experience, trials, failures and limited resources. Kurt Engemann and Doug Henderson decided to actively recruit talented learners into the field through their research, experience with real clients, writing and the graduate certificate program at Iona College. In this book, they provide the facts and examples on which decisions should be made, not knee-jerk reactions to crises, but researched, professional practices that produce informed decisions prior to, during and following a business interruption or crisis. The book cements the notion that BCP professionals will achieve greater success if they collaborate with external resources. The integration of NIMS and ICS into the private sector has been the hallmark of my professional practice, and Engemann and Henderson endorse this practice. This is a book that will inform the novice, support the expert and enhance every business continuity planner’s efforts to create a resilient organization. The book is well organized as an instructional tool, a reference guide, and as a toolkit for practitioners. The outlines provided in the Appendices are worth the price of the book. Students at both the undergraduate and graduate levels will find what they need to build a strong foundation for business resiliency, regardless of the nature of the business career they seek. Adult learners, and those already BCP practitioners, will find solid support and proven practices to enhance and improve their work. Most of all, an executive, a student, or a practitioner who absorbs the content of this book will be better prepared to function in a field where preparedness is absolutely essential. This book will serve you well in your education and practice. Dr. Thomas D. Phelan Dr. Thomas D. Phelan Program Director Emergency and Disaster Management and Fire Science American Public University System 9 Brief Contents Copyright Forewords Preface About the Authors Chapter I: Fundamentals of Business Continuity Management Chapter II: Business Continuity Management Organization Chapter III: Business Impact Analysis Chapter IV: Risk Assessment Chapter V: Strategy Development Chapter VI: Disaster Recovery for Information Technology Chapter VII: Information Systems Security Chapter VIII: Emergency Response Chapter IX: Enhancing Coordination with External Agencies Chapter X: Business Continuity Plan Chapter XI: Crisis Communication Chapter XII: Crisis Information Management Systems Chapter XIII: Sustaining Organizational Resilience Chapter XIV: Fundamentals of Probability and Statistics Chapter XV: Statistical Applications in Risk Management Chapter XVI: Simulation Modeling and Supply Chain Risk Chapter XVII: Risk and Decision Modeling Case Study A: Alpha Investment Services Case Study B: Beta Widget Makers Case Study C: Supply Chain Analysis Case Study D: Sample Risk Assessment Case Study E: Phased Pre-Positioning of Employees Case Study F: Tabletop Exercise Glossary Appendices Index 10