26
Board Leadership Center 30 September 2020 Business continuity & resilience
Board Leadership Center
30 September 2020
Business continuity & resilience
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
All rights reserved.
Setting the Scene A crisis is a threat to some, an opportunity to others
2
ReactionResponding to immediate challenges
ResilienceManaging through uncertainty
RecoverResetting and identifying opportunities
New RealityAdapting to a new world
Analysis suggests that the recent crisis experienced by companies has four phases,
summarized as the four R’s:
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
All rights reserved.
Setting the Scene A crisis is a threat to some, an opportunity to others
3
Continuity and
resilience
1
Labor force
2
Ways of working
3
https://home.kpmg/be/en/home/insights/2020/06/company-of-tomorrow.html
Purpose, ESG
4
Change in
customer
behavior
5
Supply chain and
manufacturing
6
Debt burden of
states and
companies
7
Globalization
8
8 themes companies should be thinking about:
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
All rights reserved.
Setting the Scene Speakers
4
Daniël Pairon
Partner
Head of Strategy and Operations, KPMG in Belgium
Global Head of KPMG Asset Management
Benoit Watteyne
Director
Cyber & Privacy, KPMG in Belgium
Today’s Programme
• Setting the Scene
• Business Continuity in a New Era
• Resilience as a Way of Working
• Questions & Answers
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
All rights reserved.
Setting the Scene
Risk Events &
Potential Threats
Natural DisastersFires
FloodsEarthquakes
Cycles
Information Technology
DataSystemsNetworkSuppliers
An ever changing environment
Malicious ActionsTerrorismHackers
SabotageTheft
HumanPandemics
Strikes
6
Technical measures to protect and restore critical IT components after failures of the IT infrastructure.
Organizational and personnel measures for thecontinuation of the core business after the occurrence of emergencies and crises.
Business
Business Resilience
Technology Resilience
Business Continuity Management
IT Service Continuity Management
What is Business Continuity Management at all
Business Continuity alignment with Resilience Management
7
Management viewpointIntroducing BCM
CIO PerspectiveContribution of IT
▪ Is the role of IT within the BC & RM clearly defined?
▪ Have recovery time objectives for essential IT systems been defined and coordinated with the departments?
▪ Are we sure we can resist or react appropriately in a cyber attack?
▪ Are we able to provide revision-proof data for possible regulatory requirements in case of an IT failure?
CEO PerspectiveCompetitive advantages
▪ Can we secure the operation without a tested plan?
▪ Can we maintain our business even with a process failure?
▪ What impact would this have on our company value? Our employees? Our customers? Our reputation?
▪ What happens if we breach our Service Level Agreements?
CFO PerspectiveCost efficiency
▪ Is it known which damages are caused by a process failure?
▪ Should the focus be on insurances or the independent treatment of incidents?
▪ Are the existing BC & RM solutions appropriate for the cost-benefit effect?
8
REGULATION
CLIENTS
SHAREHOLDERS COST
THE BOARD
EFFICIENCY GAINS
Triggers for change
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
All rights reserved.9
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 10
Is it worth the investment ?
Business Continuity in a new Era
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms
of the KPMG network are affiliated. All rights reserved.
What is Business Continuity Management?
Prevention
Time
Service
level
Incident !!
Response
Recovery
(Normal)
Mitigate impact
of incidents
Reduce
recovery time
Without BCM
With BCM
12
Key components of Business Continuity Management?
Other applicable Standards:
• Regulator BCM guidelines
• ISO 22313 – BCM guidelines
• ISO 22320 – Emergency Management, Incident response
• ISO 31000 – Risk Management
Other ISO Management Systems Standards
(possible Integrated Management System):
• ISO 9000 – Quality
• ISO 14000 – Environment
• ISO 18000 – Health and Safety
• ISO 27000 – Information Security
• ISO 20000 – IT Service
Establish (Plan)
Context of the Organization
BC Policy & Organization
BC Objectives & Planning
BC Resources & Competences
Implement & Operate (Do)
Business Impact Analysis
Risk Assessment
BC Strategy
BCMS Monitoring & Measure
BCMS Internal Audit
Maintain & Improve (Act)
Non-conformity &
Corrective Action
Business Continuity Management System
Monitor & Review (Check)
BC Awareness & Communication
BCMS Management Review
BC Documentation
Based on ISO 22301 PDCA (Plan-Do-Check-Act) model
BCMS Continual Improvement
BC / DR Plans
• Emergency Management
• Crisis Management
• Business Recovery
• IT Disaster Recovery
BC Exercising and Testing
Business Continuity Management System
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
All rights reserved.14
Change
management
Key success criteria for good BCM
Leadership Clarity Usability
Business
involvement
Impact
Business Continuity
ManagementBeyond IT
Practice
What can a solid business continuity
framework do for your organization?
SUCCESS
International best practice
Standardised approach
Stakeholder reassurance
Improved business performance
Insight to risks and vulnerabilities
Benefits for your business
16
Resilience is not a destination; it is a way of being
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
All rights reserved.
Being resilient requires preparedness
18
it is the capacity of individuals, organizations and systems to survive,
adapt and thrive, no matter what kind of disruptions they experience.
*Picture from a power outage on Manhattan in 2012 where
Goldman Sachs office where the only building running
Resilience components
Operational
Resilience
Today clients are focusing on establishing Operational Resilience to empower them with an overarching approach which interlinks
all of their individual Resilience Components.
Crisis
Management
Business Continuity
Management
Technology
Resilience
Emergency
Management
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
All rights reserved.19
A new approach to operational resilience
20
Enterprise-wide
Moving away from siloed functions to
develop an end-to-end view, driven by
customer needs and linked to
organizational goals
Flexible
Enabling the organization to react
appropriately to unknown situations
and adapt to changing circumstances,
instead of following rigid action plans
Measurable
Putting operational resilience on the same
footing as financial resilience, with specific
and quantifiable KPIs, thresholds, tests and
reporting
Top-down
Integrating operational resilience into
overall organization management, starting
at the top with adequate attention from
senior management
Achieving operational resilience
Take stock
– Identify critical
operations
– Map resources and
identify
interdependencies
– Identify
vulnerabilities
Set the stage
– Create an operational
resilience strategy
– Assign roles and
responsibilities from the
top down
– Break up siloed
functions
Know your limits
– Define indicators
– Define thresholds
aligned with risk appetite
– Consolidate and
harmonize reporting
Prepare for reaction
– Develop inventory of
contingency measures
and related preparatory
steps
– Adapt business
continuity plans and
incident management
– Execute business
continuity plans and
testing
Roll out
– Implement the
operational resilience
framework
– Promote an operational
resilience culture
– Learn and improve
continuously
1 2 3 54
1. Board-down
2. End-to-End
3. Measured
5. Recovery-centric
6.Testing
7. Communication
4. Resilience Culture
5
Key Themes
© 2020 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
All rights reserved.
©2019 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Benefits of operational resilience
Make crisis responses faster and more effective
Enhance experiences, trust and loyalty for customers and investors
Foster innovation and a sustainable business model
Leverage synergies and improve decision making
Increase adaptability to changing regulation
Allocate resources more effectively and efficiently
©2020 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Key takeaways▪ Disasters and risk events are not a questions of if but when
▪ ISO22301:2019 provides the backbone of for implementing and maintaining
effective business continuity plans, systems and processes
▪ Business Continuity Management System is the key tool to “incident proof”
an organization
▪ By building business resilience you gain the capacity survive, adapt and
thrive, no matter what kind of disruptions
Questions?
Thank you! DRIVEN BY BUSINESS
We work with our clients to move their business forward. Positively managing cyber risk not only helps take control of uncertainty across business; it can be turned into a genuine strategic advantage.
RAZOR SHARP INSIGHTS
In a fast-moving digital world of constantly evolving threats and opportunities, you need both agility and assurance.
Our people are experts in both cyber security and our priority sectors, which means we give our clients leading edge insight, ideas and proven solutions to act with confidence.
SHOULDER TO SHOULDER
We work with our clients as long term partners, giving them advice and challenge to make decisions with confidence. We understand that this area is often clouded by feelings of doubt and vulnerability so we work hand-in-hand with them to turn that into a real sense of security and opportunity.
Contact us
Benoit WatteyneDirector
M: +32 476 66 53 66E: [email protected]
Daniel PaironPartner
M: +32 495 53 02 02E: [email protected]
