142 • Supply Chain Risk Management: An Emerging Discipline
dependencies. Analysis of the data gathered through these interviews
paints a picture of the critical paths within a business at any given time.
is step also identies the business threshold for disruption loss, includ-
ing applications, systems, platforms, and infrastructure.
e business impact analysis identies the preliminary recovery time
objective (RTO)
3
and recovery point objective (RPO).
4
It is important to
remember when designing a business continuity solution that it is not
restoring business to normal, but it is the restoration of what is most cru-
cial at a given time. For example, if the company issued payroll the day
previous to an “event,” restoring the payroll process would not be critical.
But if payroll was to be released the day aer the event then restoring the
payroll process would be critical, especially to employees. e business
process owners also describe work- around procedures that can be imple-
mented until the process can be resumed or the sta can return to work.
Risk Assessment. e risk assessment stage identies business conti-
nuity risks that could result in a business process disruption or hinder
recovery. A risk assessment usually includes a facility assessment and
an environmental analysis. A high- level physical inspection of a facil-
ity should include a review of the electrical design, mechanical heating
ventilation and air- conditioning (HVAC) design, communications and
network architecture review, physical security evaluation, emergency
egress/ ingress, and structural design of the data center and call center
(as applicable). e environmental risk analysis includes the analysis of
the likelihood of natural and man- made disasters at a specic location.
Aer the risks are identied, they should be ranked and rated by criteria
specied in the business continuity standards.
Recovery Strategies. e data gathered from the BIA and risk assessment
portray the existing business continuity capabilities and gaps. Recovery
strategies are developed to mitigate these potential risks. Recovery strate-
gies and the associated estimated costs for implementation are developed
and presented to the business continuity governance board for review. It
is up to the governance board to approve and fund the chosen recovery
strategies. Note the governance board should also sign o on high- ranked
business risks with the reasoning on any decisions not to remediate a risk.
Business Continuity/ Disaster Recovery Plans. Business continuity
planning allows for the availability of critical business processes in the event
of an incident that renders facilities, computer systems, and/ or employees
inoperable or inaccessible. e goal of the creation and implementation of
business continuity and disaster recovery plans is to minimize economic
Operational Risk • 143
losses resulting from disruptions to business functions. ese plans provide
steps and procedures to facilitate an orderly recovery of critical business
functions and/ or systems. Business continuity plans address the recovery
of business functions and workspaces; disaster recovery plans address the
recovery of the information technology environment and systems that sup-
port the business. e provisions in these types of plans are used as the
basis for providing guidance, preparing for, and eecting recovery activi-
ties in connection with executive management’s discretion. Tactically, the
business continuity/ disaster recovery plans address how to do the following:
• Minimize business losses resulting from disruptions to business
processes
• Provide a plan of action to facilitate an orderly recovery of critical
business processes and technical infrastructure
• Identify key individuals or teams who will manage the process of
recovering and restoring the business and/ or technology aer an
incident or disaster
• Specify the critical business and technical activities that need to con-
tinue aer an incident
• Outline the logistics of recovering critical business processes and
technical infrastructure
Proper execution of these plans facilitates the timely recovery of critical
business processes. Business continuity and disaster recovery plans are
eective only if they are maintained properly and the content information
is current. A key element of business continuity/ disaster recovery plans is
the coordination between information technology and business processes
to align RTO and RPO with business requirements over time.
Test and Verify. e business continuity standards will guide the business
continuity program’s roadmap to the development, testing, and maintenance
of continuity and disaster plans and reporting to the governance board. e
tests are used to train associates and create an awareness of the business
continuity program model and individual roles. is is done through exer-
cising the plan. Dierent levels of plan testing range from tabletop “walk-
throughs” to the actual mobilization of plans. Actual mobilization of plans
requires increased resources but will provide more thorough results.
e key to a thriving business continuity program is that it is never stag-
nant. It is a living process, and as it matures it should evolve into being
part of regular business operations, not viewed as simply an add- on.
144 • Supply Chain Risk Management: An Emerging Discipline
BCP Exercises
A tabletop or structured walk- through exercise is a paper evaluation of a
portion of a business continuity plan without the expenses or personnel
resources associated with a full test. e exercise scope can vary from a
review of a portion of the BCP to a review of the entire plan. e walk-
through has many worthwhile objectives:
• Verify the contents of the plan
• Prepare for simulation testing
• Train new members and create employee awareness
• Maintain preparedness while limiting use of resources
• Arm that the strategy documented in the plan is viable
• Educate critical personnel on their responsibilities in a disaster
• Conrm that the information in the plan is current and accurate
• Identify areas of the plan that need revision or updates
e primary benet of a tabletop exercise, besides oering the oppor-
tunity to realize an impressive set of objectives, is that it is cost- eective
and noninvasive.
A second type of exercise, called a component exercise, is usually per-
formed during o- hours and tests a particular segment of the recovery
plan. It diers from the structured walk- through in that it involves actual
recovery activities. e overwhelming benet of a component exercise is
that it is nondisruptive and focused. Various types of component tests can
include the following:
• Tests of the emergency notication system
• Evacuation tests
• Data center or application recovery test
• Remote or dial- in access test
• Critical business function recovery test
A mobilization exercise is an integrated simulation/ full operations test
that includes an exercise performed at the actual recovery sites and utiliz-
ing backup resources that would be used during an actual event. A struc-
tured walk- through and/ or a component exercise test should precede the
mobilization exercise. e primary objective of a mobilization exercise is
to test an entire plan or a portion of the plan under emergency scenarios,
Operational Risk • 145
validate operational eectiveness and business unit interdependencies,
and provide technical and administrative measurable results. Measures
of test results should be compiled during the exercise and then compared
against expected results.
An exercise of this proportion is normally scheduled to take place aer
hours or during a weekend. While the most costly in terms of resources, the
major benet of a mobilization exercise is that it requires interdepartment
coordination and is the best true test of the business continuity program.
Aer the exercise type, identication of recovery priorities, objectives,
timeline, and scenario have been determined, a company conducts the
test, analyzes the ndings, and develops corrective actions. e nal step
is to update the business continuity/ disaster plan to incorporate lessons
learned from testing.
CONCLUDING THOUGHTS
e supply chain management concept has come a long way from the days
of materials management, inventory cycle counting, expediting orders,
and ghting res. e concept has become a profession and many out-
side the industry, including executive managers, have come to the realiza-
tion that supply chain excellence is a critical success factor for business.
However, many of the risks we have discussed within the arena of business
operations are still traditionally mitigated and managed by reactionary
metrics and methodologies. As supply chain risk management unfolds
from a concept into a more mature discipline, many of the new tools, tech-
niques, mitigation strategies, and metrics that we present will become an
eective way to identify, assess, mitigate, and manage operational risks.
Summary of Key Points
• Operational risks are by far the most frequent number of risk events,
not only for those who manufacture products, but for service orga-
nizations as well. Operational risks are contained in each of the four
pillars of supply chain risk that include supply risk, demand risk,
process risk, and environmental risk.
• Operational risks cross several planning and execution horizons.
e two most prevalent horizons are the tactical horizon, which
146 • Supply Chain Risk Management: An Emerging Discipline
normally covers 1–18months into the future, and the operational
horizon, covering 0–45days into the future.
• Supply risk can be further classied into supplier risk, logistics risk,
and fraud, corruption, and counterfeiting risk.
• Demand risk consists of customer risk, product risk, and logistics
risk.
• e categories for the process risk pillar are known or hard risks,
unknown or so risks, and chronic risks that can arise within a
company’s four walls.
• e fourth risk pillar, environment/ ecosystems risk, is probably
the most immature pillar and also contains known, unknown, and
chronic risk categories.
• One traditional and eective proactive approach to identifying,
assessing, mitigating and managing operational risks, business con-
tinuity planning, has been around for many years. It is still consid-
ered a cost- eective approach to being prepared for and responsive
to risk events, particularly operational risk events.
• e business continuity life cycle includes six stages: governance,
business impact analysis, risk assessment, recovery strategies, busi-
ness continuity/ disaster recovery planning, and test and verication.
• A tabletop or structured walk- through exercise is a paper evaluation
of a portion of a business continuity plan without the expenses or
personnel resources associated with a full test. A second type of exer-
cise, called a component exercise, is usually performed during o-
hours, tests a particular segment of the recovery plan, and involves
actual recovery activities.
ENDNOTES
1. Accessed from e European Banking Authority (EBA) and e European Bank for
Reconstruction and Development (EBRD) at www.eba.europa.eu and www.EBRD.
com.
2. Accessed from www.dictionary.com.
3. RTO = Recovery Time Objective: e maximum tolerable time to recover critical
business functions and the existing resources that support each function.
4. RPO = Recovery Point Objective: e maximum amount of data loss allowable.
5. e authors would like to acknowledge the contribution of Betty Barnes to this
section.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.